A newly patched security flaw in Windows NT LAN Manager (NTLM) has recently come under the spotlight due to its exploitation as a zero-day vulnerability by a suspected Russia-linked cyber actor. This flaw, identified as CVE-2024-43451 and carrying a CVSS score of 6.5, enables attackers to steal a user’s NTLMv2 hash with minimal user interaction with a malicious file. Such actions could include selecting, inspecting, or performing non-opening actions. The vulnerability’s nature emphasizes the increasing sophistication and evolution of cyber threats, posing significant risks, particularly to high-value targets like governmental entities.
Israeli cybersecurity company ClearSky uncovered the zero-day exploitation back in June 2024, noting that it had been used to deploy the open-source Spark RAT malware. The malicious files were found hosted on an official Ukrainian government website intended for downloading academic certificates. Attackers leveraged this platform to execute their sequence of attacks, making it harder for victims to suspect foul play. The attack methodology involved phishing emails that were sent from a compromised Ukrainian government server. Recipients of these emails were coerced into renewing their certificates via a booby-trapped URL, leading to the download of a ZIP archive containing a harmful internet shortcut file (.URL). Interaction with this file would then trigger the NTLM vulnerability, establishing a connection with a remote server to download additional payloads, including Spark RAT.
Exploitation and Cyber Threats
ClearSky’s analysis further noted that sandbox execution detected attempts to pass the NTLM hash through the SMB protocol, a method potentially enabling a Pass-the-Hash attack. This level of exploitation underscores the evolving nature of cyber threats and the strategies employed by threat actors. The Computer Emergency Response Team of Ukraine (CERT-UA) has attributed this activity to a likely Russian threat actor, designated UAC-0194. This identification not only points to the potential political motivations behind the cyber attacks but also the increasing complexity of international cyber conflict scenarios.
Moreover, CERT-UA has issued warnings regarding other phishing campaigns with tax-related lures, believed to be conducted by another threat actor, UAC-0050. These campaigns aim to spread LiteManager, a legitimate remote desktop software, to facilitate financially motivated attacks. The primary targets of these attacks appear to be accountants working with remote banking systems. Successful initial attacks can lead to the rapid theft of funds, often within an hour of compromise. These campaigns reflect a multifaceted threat landscape where cyber actors employ a variety of tools and techniques for different goals, from espionage to financial theft.
Implications and Future Steps
A recently patched security vulnerability in Windows NT LAN Manager (NTLM), known as CVE-2024-43451, has come into focus after being exploited as a zero-day by a suspected Russia-linked hacker. With a CVSS score of 6.5, this flaw allows attackers to capture a user’s NTLMv2 hash with minimal user interaction through a malicious file. Actions such as selecting or inspecting the file, without opening it, are sufficient for exploitation. This vulnerability highlights the increasing sophistication of cyber threats, posing severe risks to high-value targets like government entities.
Israeli cybersecurity firm ClearSky discovered the zero-day exploit in June 2024, revealing its use in deploying Spark RAT malware. The malicious files were hosted on an official Ukrainian government site meant for downloading academic certificates. Hackers used phishing emails sent from a compromised Ukrainian server. These emails urged recipients to renew certificates via a tampered URL, leading to a ZIP file housing a hazardous internet shortcut file (.URL). Interaction with this file activates the NTLM vulnerability, establishing a connection with a remote server to download further payloads, including Spark RAT.