Hundreds of orgs targeted with emails aimed at stealing NTLM authentication hashes

A threat actor specializing in establishing initial access to target organizations’ computer systems and networks is using booby-trapped email attachments to steal employees’ NTLM hashes.

Why are they after NTLM hashes?

NT LAN Manager (NTLM) hashes contain users’ (encoded) passwords.

“User authentication in Windows is used to prove to a remote system that a user is who they say they are. NTLM does this by proving knowledge of a password during a challenge and response exchange without revealing the password to anyone,” Microsoft said in a recent post that announced their goal to deprecate NTLM use in favor of Kerberos – a more modern, extensible and secure authentication protocol.

“These hashes could be exploited for password cracking or facilitate ‘Pass-The-Hash’ attacks using other vulnerabilities within the targeted organization to move laterally within an impacted environment,” Proofpoint researchers have noted. (Though cracking the password is not enough to gain access to accounts with multi-factor authentication switched on.)

Varonis Threat Labs researchers have recently documented alternative tricks attackers use to grab NTLM password hashes.

How a phishing email allows them to steal NTLM hashes?

According to the researchers, in late February 2024 the threat actor (marked as TA577) sent out tens of thousands of emails targeting employees of hundreds of organizations around the world.

The emails looked like they were replies to previous emails, and directed the potential victims to download and open the attached ZIP archive file.

The phishing email (Source: Proofpoint)

“When opened, the HTML file triggered a system connection attempt to a Server Message Block (SMB) server via a meta refresh to a file scheme URI ending in .txt. That is, the file would automatically contact an external SMB resource owned by the threat actor,” the researchers explained.

No actual malware was used in the attack – the attackers only wanted to capture NTLMv2 challenge/response pairs from the SMB server to steal NTLM hashes.

“Any allowed connection attempt to these SMB servers could potentially compromise NTLM hashes, along with revealing other sensitive information such as computer names, domain names, and usernames in clear text,” they noted.

This additional information can also provide some insight into the targeted organization and whether it’s worth to continue the compromise and drop additional malware/ransomware.

Advice for organizations

TA577 is known for delivering malware loader – QBot (Qakbot) in the past and, more recently, Pikabot – but this is the first time they’ve been spotted trying to steal NTLM credentials.

“The rate at which TA577 adopts and distributes new tactics, techniques, and procedures (TTPs) suggests the threat actor likely has the time, resources, and experience to rapidly iterate and test new delivery methods,” the researchers noted, and said that they’ve also seen “an increase in multiple threat actors abusing file scheme URIs to direct recipients to external file shares such as SMB and WebDAV to access remote content for malware delivery.”

To foil those attempts, organizations should block outbound SMB connections, they advised.

“Disabling guest access to SMB does not mitigate the attack, since the file must attempt to authenticate to the external SMB server to determine if it should use guest access,” they added.