Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes
Mar 05, 2024
Email Security / Network Security
The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager ( NTLM ) hashes. The new attack chain "can be used for sensitive information gathering purposes and to enable follow-on activity," enterprise security firm Proofpoint said in a Monday report. At least two campaigns taking advantage of this approach were observed on February 26 and 27, 2024, the company added. The phishing waves disseminated thousands of messages and targeted hundreds of organizations across the world. The messages themselves appeared as responses to previous emails, a known technique called thread hijacking, in a bid to increase the likelihood of the attacks' success. The ZIP attachments – which are the most common delivery mechanism – come with an HTML file that's designed to contact an actor-controlled Server Message Block (SMB) server. "TA577's objective is to capture NTLMv2 Challenge/Response pairs fro...
