Search
Close this search box.
A red-tinted HTML code snippet. The document structure includes ``, ``, and `` tags. A meta tag within the head section sets `url="file://66.63.188.19/bmnksw/2.txt"`. The body contains a div with placeholder text, highlighting a potential cyberthreat risk if accessed improperly.

A Thread Hijacking Attack Targets IT Networks and Stealing NTLM Hashes

NewsroomEmail Security / Network Security Mar 05, 2024

In phishing emails, the threat actor known as TA577 has been spotted stealing NT LAN Manager (NTLM) hashes by using ZIP archive attachments.

Enterprise security firm Proofpoint stated in a report released on Monday that the new attack chain” can be used for sensitive information gathering purposes and to enable follow-on activity.”

On February 26, 2024, at least two campaigns, according to the company, took advantage of this strategy. The phishing waves targeted hundreds of organizations all over the world and distributed thousands of messages.

Cybersecurity

In an effort to boost the success of the attacks, the messages themselves appeared as responses to earlier emails using a technique known as thread hijacking.

An HTML file that is intended to contact an actor-controlled Server Message Block ( SMB) server comes with the ZIP attachments, which are the most popular delivery methods.

According to the company, “TA577’s goal is to steal NTLMv2 Challenge/Response pairs from the SMB server in order to steal NTLM hashes,” which could then be used for pass-the-hath ( PtH ) attacks.

Thread Hijacking Attack

In order to authenticate a session in a network and gain unauthorized access to valuable data, adversaries who are in possession of a password hash do n’t need the underlying password.

One of the most sophisticated cybercrime organizations is TA577, which overlaps with a Trend Micro activity cluster known as Water Curupira. In the past, it has been linked to the distribution of malware families like QakBot and PikaBot.

Cybersecurity

According to Proofpoint,” the rate at which TA577 adopts and distributes new tactics, techniques, and procedures ( TTPs ) suggests the threat actor likely has the time, resources, and experience to quickly iterate and test new delivery techniques.”

Additionally, it noted that the threat actor was acutely aware of the shifts in the landscape of cyber threats and was working quickly to improve and modify its methods of delivery to avoid detection and drop a variety of payloads. To stop exploitation, organizations are highly advised to block outbound SMB.

I found this article to be interesting. Follow us on LinkedIn and Twitter to access more exclusive content.

Lean More About DoD Cybersecurity, Cyber Threats and Related Contents

Learn why IDShield offers the best security and value.

www.sentrypc.com

PureVPN - Best VPN and Your Trusted Partner for Internet Freedom

🔥BIG SAVINGS 82% Off PureVPN.🔥 Secure Your Online Privacy Now. LIMITED OFFER!

🔥 SAVE 82% OFF 🔥 on PureVPN! Limited Offer – Enhance Your Digital Security Today.
Click To View Offer on PureVPN Website

NordVPN - Your Passport to Unrestricted Freedom

Embrace Digital Freedom and Security with NordVPN.
🔥Up To 63% Off🔥

Start Today Your Journey to a Safer Internet Today!
Click To View Offer on NordVPN Website

Protect Your Data with DeleteMe the Go-To-Solution

DeleteMe is Your Guardian Against Identity Theft and Online Exposure!
🔥Take 20% Off - Click Here to View Code🔥
Malwarebytes Browser Guard filters out annoying ads and scams while blocking trackers that spy on you.
Malwarebytes for Home | Anti-Malware Premium | Free Trial Download
Try Ultahost - The best place to get secure, inexpensive shared web hosting services!
View deals and specials on Used Macs, Mac hardware, Mac accessories, and more. Shop now!

DoD Cybersecurity protecting your digital world one secure step at a time with DoD Cybersecurity Blogs.
DoDCybersecurityblogs.com | All Rights Reserved | Designed by Omar Solomon

Skip to content