Security News > 2024 > March > Hackers steal Windows NTLM authentication hashes in phishing attacks
The hacking group known as TA577 has recently shifted tactics by using phishing emails to steal NT LAN Manager authentication hashes to perform account hijacks.
NTLM hashes are used in Windows for authentication and session security and can be captured for offline password cracking to obtain the plaintext password.
When the Windows device connects to the server, it will automatically attempt to perform an NTLMv2 Challenge/Response, allowing the remote attacker-controlled server to steal the NTLM authentication hashes.
Proofpoint mentions specific artifacts present on the SMB servers that are generally non-standard, such as the open-source toolkit Impacket, which is an indication those servers are used in phishing attacks.
It is also possible to configure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' Windows group policy to prevent sending NTLM hashes.
For organizations using Windows 11, Microsoft introduced an additional security feature for Windows 11 users to block NTLM-based attacks over SMBs, which would be an effective solution.
News URL
Related news
- Exploit released for new Windows Server "WinReg" NTLM Relay attack (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Australian Organisations Targeted by Phishing Attacks Disguised as Atlassian (source)
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials (source)
- North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- GitHub, Telegram Bots, and ASCII QR Codes Abused in New Wave of Phishing Attacks (source)