Windows NTLM hashes...
Clear all

Windows NTLM hashes are the target of novel Initial Access Broker IAB attacks

1 Posts
1 Users
Brandon Lee
Posts: 542
Member Admin
Topic starter

Over the past week, TA577, an initial access broker also known as Hive0118, has targeted hundreds of organizations with attacks designed to steal Windows NT LAN Manager (NTLM) authentication data. This finding, reported by CSO Online and further detailed in a Proofpoint report, highlights a sophisticated method employed by TA577 involving the use of malicious emails. These emails insert a password-protected ZIP archive into ongoing legitimate email threads. The archive contains an HTML document that, once opened, initiates a connection to an SMB server under the control of the attackers.

This SMB server is reported to utilize the Impacket toolkit, an open-source collection of classes for working with network protocols. Impacket is known for its ability to collect NTLM hashes from network communications, which can subsequently be used to execute NTLM relay attacks. Such attacks can allow unauthorized access to network resources by exploiting the NTLM authentication protocol.

The researchers have suggested several defensive measures to mitigate the risks posed by these attacks. Notably, they recommend blocking outbound connections to SMB servers, which can prevent the unauthorized gathering of NTLM hashes. Additionally, they clarified that if the attackers were to embed the file scheme URI directly in the body of the email, the attack would fail against Outlook mail clients that have been patched since July 2023. However, they also noted that simply disabling guest access to SMB servers is not an effective countermeasure in this scenario. This is because the HTML file must attempt to authenticate with the external SMB server to determine whether to use guest access, making the initial connection attempt—and thus the vulnerability—still possible.

These recommendations underscore the importance of maintaining up-to-date security patches and adopting proactive network security measures to safeguard against sophisticated cyber-attacks.

Windows NTLM hashes targeted in novel IAB attacks | SC Media (

Posted : 05/03/2024 8:42 am