Proofpoint Packages

Proofpoint Discloses Technique Pivot by Attacker Group TA577: Targeting Windows NTLM  

Share with your network!

Proofpoint was the first to uncover a concerning new development in the world of cyberthreats that involves a group known as TA577. These cybercriminals, which typically act as initial access brokers (IAB), have pivoted to attacking an old, but widely deployed Windows service to steal sensitive information.  

Specifically, they aim to steal at scale the hash of the NT LAN Manager (NTLM) authentication session details. Then it is expected that they either sell the data, or they exploit it for various downstream activities like stealing sensitive data and ransoming systems. The planned end result is the same, a significant business-impacting breach of the targeted organizations.  

How did the new attack happen?  

Proofpoint detected two distinct email-based campaigns that TA577 carried out on February 26 and 27, 2024. The campaigns targeted hundreds of businesses globally via tens of thousands of emails.  

The attackers cleverly disguised the emails as replies to previous emails. This is an effective social engineering tactic known as thread hijacking.  

The emails contained HTML attachments compressed into zip files. Each malicious attachment had its own unique identifier. And the HTML files contained within the attachment were customized for each recipient. Because all the hashes were unique, a simple signature-based detection system could not consistently detect and block these emails. 

When the email recipient opened the files, it triggered a connection to a Server Message Block (SMB) server that the threat actor controlled. No malware was directly delivered through these connections.  

However, the attackers’ objective was clear—to capture the details of the challenge/response transaction and the NTLM hashes of the user’s Windows machine, which include the user’s password authentication data. The attackers can use this data in the next stage of the attack either in hash form or by cracking the hash first to retrieve the password.  

Note: In this case, the use of multifactor authentication (MFA) would not stop the attack, as TA577 targeted previously authenticated users on active Windows machines. If targeted businesses used MFA, that authentication step would have already occurred; thus, it would not significantly hinder this attack.  

What was the attackers’ intent? 

As noted earlier, TA577 usually acts as an IAB. So, the group likely aimed to exploit the data that they collected by cracking password hashes or facilitating “pass-the-hash” attacks. They could sell access to other threat actors who seek to penetrate targeted companies’ networks more deeply. 

As part of our investigation, Proofpoint identified the use of a well-known toolkit, Impacket, on the SMB servers involved in the attack. This discovery further confirmed that the malicious intent behind TA577’s activities is to go well beyond the initial account or system compromise.    

What is especially concerning about this attack approach is that any connection to the SMB servers would compromise sensitive information that includes: 

  • Usernames 
  • Passwords 
  • Session hashes 
  • Domain names 
  • Computer names 

More troubling is the fact that the attackers delivered the malicious HTML files within zip archives. That means they bypassed measures in Outlook mail clients last patched before July 2023.  

If your email security provider did not block the inbound email and a user engaged with the message, your last hope to avoid the compromise is the timeliness of your software patching program.     

The impacts on businesses  

This attack is based on an old protocol (NTLM) from the 1990s. But this new twist by TA577 is noteworthy because it represents a departure from the group’s usual tactics of delivering malware and bots directly. It suggests that the group is adapting and evolving. They are seeking new ways to bypass security measures and monetize their campaigns.  

This cyberthreat poses a significant risk to businesses that run Microsoft Windows. Through the theft of NTLM authentication data, the attackers can gain direct access to hosts in the business. And they can use that access to escalate their privileges and make lateral moves and ultimately gain unauthorized access to sensitive information and systems. 

If the attackers can achieve undetected access to hosts in the network, they can expand their access to systems that manage confidential business data, financial records and intellectual property. They can also decide to ransom these systems. In either case, the impacts on businesses can include financial losses, reputational damage and legal repercussions.   

How to defend against this attack: defense-in-depth  

This type of attack highlights the need for a defense-in-depth approach to security. In this case, the required security controls include a mix of technologies that Proofpoint can provide. Simple configuration changes and application patching are a great help to improve security hygiene as well. 

Here are six steps you can take to help prevent this new attack on an old technology. 

  1. Deploy an effective email security system. Use a security system that incorporates threat intelligence, human researchers, sophisticated analytics, constant tuning and comprehensive, global email visibility to combat evolving threat techniques. Make sure that the vendor you choose constantly curates their detection systems.  
  2. Provide security awareness training to your users. Your people need cybersecurity education so that they will understand—and avoid—the risks of engaging with suspicious emails.  
  3. Turn off unused services, to the extent possible. Block outbound SMB protocol is likely a good practice for most organizations.  
  4. Regularly patch your systems. In this case, make sure that Outlook patching is up to date.  
  5. Continuously monitor your accounts and systems. Be on the lookout for unusual behavior of your users’ accounts.  
  6. Apply identity threat detection and response controls. This will help you to stop privilege escalation and lateral movement by attackers even if they do get past some of the earlier controls and make an initial account or host compromise.  

The NTLM authentication data theft that TA577 orchestrated highlights how cyberthreats are always evolving. Failure to take the actions outlined above could lead to severe consequences for your business, its employees and other stakeholders.  

Learn more 

For more insights, check out the State of the Phish report from Proofpoint. It provides an in-depth overview of the current threat landscape, including insights on generative AI, QR codes and MFA abuse by malicious actors. The report is informed by our extensive telemetry data, which covers more than 2.8 trillion scanned emails across 230,000 organizations worldwide. It also features findings from 183 million simulated phishing attacks sent over a 12-month period.