Security News > 2024 > March > Hundreds of orgs targeted with emails aimed at stealing NTLM authentication hashes

A threat actor specializing in establishing initial access to target organizations' computer systems and networks is using booby-trapped email attachments to steal employees' NTLM hashes.

"User authentication in Windows is used to prove to a remote system that a user is who they say they are. NTLM does this by proving knowledge of a password during a challenge and response exchange without revealing the password to anyone," Microsoft said in a recent post that announced their goal to deprecate NTLM use in favor of Kerberos - a more modern, extensible and secure authentication protocol.

"These hashes could be exploited for password cracking or facilitate 'Pass-The-Hash' attacks using other vulnerabilities within the targeted organization to move laterally within an impacted environment," Proofpoint researchers have noted.

Varonis Threat Labs researchers have recently documented alternative tricks attackers use to grab NTLM password hashes.

According to the researchers, in late February 2024 the threat actor sent out tens of thousands of emails targeting employees of hundreds of organizations around the world.

No actual malware was used in the attack - the attackers only wanted to capture NTLMv2 challenge/response pairs from the SMB server to steal NTLM hashes.

News URL

https://www.helpnetsecurity.com/2024/03/05/steals-ntlm-hashes-email/