Russian Hackers Unleash RAT Malware Through New NTLM Vulnerability via Phishing Emails
week.
Attack Details
The threat group, dubbed ‘Fancy Bear’ by cybersecurity researchers, exploited the NTLM vulnerability by initiating a man-in-the-middle (MitM) attack to impersonate a legitimate domain controller.
The actor then induced victims’ systems to send an NTLM authentication request over a network connection, eventually capturing an NTLM hash without the need for physical access to the machine.
The captured hash was then used for malicious purposes, mainly deploying a Remote Access Trojan (RAT) via phishing emails, giving the attackers covert, remote access to the victims’ computers.
Majorly, Le Chiffre RAT known for its keylogging and spyware capabilities was being distributed.
Technical Breakdown
The attack follows a sequenced pattern.
An initial email is sent to the victim, carrying a malicious link or attachment, which when accessed, exploits the NTLM flaw.
The unsuspecting victim, assuming it to be legitimate, sends an NTLM authenticate message which is intercepted, and the hash value is extracted.
Once the attackers are in possession of the NTLM hash, they can use a technique called Pass-the-Hash to authenticate themselves on the network, impersonating the victim’s identity.
The Le Chiffe RAT is then masked in an email, seemingly from a trusted source, and sent to the user to establish a backdoor for persistent, remote access.
Mitigation Measures
Given the concerning nature of this attack, it is crucial for businesses and individuals to ensure they have installed the recent Microsoft patches that address this NTLM security vulnerability.
Furthermore, they should adopt best practices in cybersecurity hygiene.
Employing reliable cybersecurity solutions, providing extensive staff training, and maintaining a healthy skepticism towards unexpected emails will contribute significantly towards safeguarding systems against such sophisticated threats.
It is also recommended to disable NTLM where not needed and instead, rely on Kerberos, a more secure authentication protocol.
Limiting inbound NTLM traffic to an essential minimum and adopting network-level authentication can further help mitigate the risk.
Follow-Up Reading