July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
ICS: Rockwell Automation FactoryTalk View ME Vulnerability
November 14, 2024Multiple Adobe Products Vulnerabilities
November 14, 2024ICS: Rockwell Automation FactoryTalk View ME Vulnerability
November 14, 2024Multiple Adobe Products Vulnerabilities
November 14, 2024
Severity
High
Analysis Summary
A suspected threat actor with ties to Russia used a recently patched vulnerability in Windows NT LAN Manager (NTLM) as a zero-day exploit in cyberattacks against Ukraine.
CVE-2024-43451 (CVSS score: 6.5) is a vulnerability that might be used to obtain a user's NTLMv2 hash. It is an NTLM hash disclosure spoofing vulnerability. Microsoft patched it early this week. This vulnerability may arise from minimal user interaction with a malicious file, such as selecting (single-click), inspecting (right-click), or carrying out an activity other than opening or executing.
According to the researchers who identified the vulnerability's zero-day exploitation in June 2024, it has been misused as a link in an attack chain that spreads the open-source Spark RAT malware. Malicious activity results from the vulnerability's activation of URL files. A legitimate Ukrainian government website that lets visitors download academic credentials contained the infected files.
The attack chain entails sending phishing emails from a compromised Ukrainian government site ("doc.osvita-kp.gov[.]ua") asking recipients to click on a booby-trapped URL included in the message to renew their academic certificates. As a result, a ZIP file containing a malicious internet shortcut (.URL) file is downloaded. When the victim works with the URL file by dragging it to a different folder, deleting it, or right-clicking on it, the vulnerability is activated.
The purpose of the URL file is to connect to a distant server ("92.42.96[.]30") in order to download more payloads, such as Spark RAT. Furthermore, an attempt to transfer the NTLM (NT LAN Manager) Hash through the SMB (Server Message Block) protocol was detected by a sandbox execution. Without the accompanying password, an attacker can employ a Pass-the-Hash attack to assume the identity of the user linked to the captured hash after obtaining the NTLM Hash.
The activity has been connected to UAC-0194, a potential Russian threat actor that the Computer Emergency Response Team of Ukraine (CERT-UA) monitors. The CIA has also warned in recent weeks that a threat actor known as UAC-0050 is behind the attack campaign, which is financially motivated and uses phishing emails with tax-related baits to spread LiteManager, a legitimate remote desktop program.
Impact
- Unauthorized Access
- Identity Theft
- Financial Loss
Indicators of Compromise
IP
- 92.42.96.10
- 89.23.102.251
MD5
- bf33fd962b07030420666a0b329f680c
- 948fe6bc00c9d95e22557718d69c92ca
- 2e1ce941b2142b241d48bdaabc83808d
- ead645c92a48c624af4ee445559894da
- 519491d28fb7f3ddb1cf84a29780723b
- 4dfdf86360c6030d46a3e85941bfce60
- b1ad3b0997af8035c5978f1dd87ea3b8
- 35e4e128afdbb569a70fb63cf2787ada
- f2e34a6183dd0c6f320ab8203d3eea7b
- 274b434a96f447a0ad6bff03d07f6964
- 9aff477d681be77815b141cad037d7b6
- 4e7a208fa78412254979f2600703db44
- 5433556b4d9e72b9ca8e22da77ea10dc
- c8f591aa32aa7857f131c1ea322f1a58
- b0c9ec6c65bbbd60ab7920a345cc1b8a
SHA-256
- aac3f49b8c875ca842f96dd6dde194102944907a956fad1ff1cff14c64aaf2e0
- 07b417ffa08f12201eceba3688690bd5c947f657be00e3c883f6ec342ec5c344
- 0efe4a603dd59b377798ae2889fe47a851f79e36d1a925d327a93416204d1767
- 6c6ba73e4c80853219121f922e60564720d414bf42d8bc542dac800560d1eb36
- df74298b2ecb33558bd34b7d59bcade5901eb5db1b61ce9aa1ae27e597f4f58d
- 928cdef8fb7c2ba9aa96ab726d74aa7a18b032102d9ec4ed00e7559f98c1bdf9
- e4a6368556c15d316960bd605827c00e336ef6e56c369090803a46ff69dfd4ac
- 715a69b898bd0a056098d24505046391e29381f671952d5e860c0cb41779a49f
- c423ea5a16e33d3b988358ad649bb43a3265cad8e118ed91863d8b9dc3e8f8f9
- caba3a8900302df5b83d260ed1f4da19b68f8c2d1b92c6dfc91b2ca01f14a1ef
- 8cf24fe1384ca8ea763081b78fd14995704bbd73a871ebe1c362053767aeec20
- 5499a4bf696fdbbe41cdc2bc9efae2df93306a135643a3651701c5ca57570eb7
- ad10aaac2661b2dd17ef586a2bf8f3dca7a82abda2580dbd3aca2d52cc5460ae
- 6de2602f486985bfadae3b4ac06af041f22fd41559954a6ecd262f7c3a8aa681
- d6d77204740bd3bdd2fd5e918a7ba9134c1d7d10eb3d6972749009dd50df6cc8
SHA1
- befbf9ca3bfe9e3152939ce1fe4ad96f8c7a0aa7
- e4f894e9a4d33f5202db5a10bcd0b54348ea13f8
- 5fe0558cf268a926dec7c65fa763469bd8f63dbd
- 3df56435eb28b91c53f4c5e8dfe95d27c344f654
- 69f844d56d26e286026a771c47cdf593b1e1e854
- 98d5c841592a6c0376e6b39a572fbabc0cc75bef
- 74d206055173cf6ffdf905474947ffa4d25d2940
- 2b35ac9c0b38d9c7f2bad1b3114aca8119250ff3
- dda1e0731bd583188133eefee21d6ebdf7f8973e
- 11d7e43d7528ad49a1bcf054bcb830733df8b3b1
- 1da43753c3b48eb25180b04a2e7c6d64d9159be5
- 10a4b5cdf1495e3d00821c29ab8b6758a39a0ac7
- 57c7f6091a1338b25b76dcb9064cba243cf9bc60
- fc1e8f6c817c5b0a1730f56873dfb470ea0616bc
- 7acfbb43099c943195d3380a016d91658b5e75a0
Remediation
- Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Maintain cyber hygiene by updating your antivirus software and implementing a patch management lifecycle.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and antimalware software and update signature definitions on time. Using multilayered protection is necessary to secure vulnerable assets.
- Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
- Deploy reliable endpoint protection solutions that include antivirus, antimalware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
- Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
- Deploy IDPS solutions to detect and block suspicious network traffic and intrusions.
- Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before they are exploited by attackers.
- Continuously monitor network traffic and security logs for any signs of suspicious activities. Stay updated on the latest threat intelligence to understand the tactics, techniques, and procedures (TTPs) employed by threat actors.