The hacking group TA577, previously associated with Qbot and Black Basta ransomware, has shifted tactics towards phishing, specifically targeting NTLM authentication hashes for account hijacks. Recent campaigns, observed on February 26 and 27, 2024, have seen widespread distribution of emails globally, aiming to exploit recipients’ NTLM hashes to gain unauthorized access within compromised networks. Proofpoint’s analysis underscores the group’s evolving sophistication, with tactics such as thread hijacking and the use of unique ZIP archives to deploy malicious HTML files.
Proofpoint’s report reveals the intricacies of TA577’s phishing campaign, where phishing emails masquerade as replies to previous discussions, a technique known as thread hijacking. These emails contain unique ZIP archives housing HTML files designed to trigger automatic connections to external SMB servers upon opening. Through these connections, the attackers can steal NTLM authentication hashes, potentially enabling them to escalate privileges, hijack accounts, and access sensitive information within compromised networks.
Cybersecurity professionals have highlighted the significance of disabling multi-factor authentication (MFA) for threat actors to utilize stolen NTLM hashes effectively. However, the primary goal of the phishing campaign seems to be capturing NTLM hashes, as no malware payloads were delivered through the URLs. Additionally, researchers suggest that stolen hashes could serve as reconnaissance tools for identifying valuable targets within compromised networks.
To mitigate such attacks, organizations are advised to implement protective measures such as email filtering to block messages containing zipped HTML files, configure firewalls to block outbound SMB connections, and restrict outgoing NTLM traffic to remote servers. Furthermore, Microsoft’s introduction of additional security features for Windows 11 users to block NTLM-based attacks over SMBs is cited as an effective solution against such threats.
