A recently patched security flaw affecting Windows NT LAN Manager (NTLM) was exploited as a zero-day by a suspected Russian-linked actor in cyberattacks against Ukraine.
The vulnerability in question, CVE-2024-43451 (CVSS score: 6.5), is an NTLM hash disclosure spoofing vulnerability that can be exploited to steal a user’s NTLMv2 hash. It was patched up from Microsoft earlier this week.
“Minimal user interaction with a malicious file, such as selecting (single-click), inspecting (right-clicking), or performing actions other than opening or executing, could trigger this vulnerability,” Microsoft said in its advisory.
Israeli cybersecurity firm ClearSky, which discovered exploits of the June 2024 zero-day flaw, said it has been abused as part of a chain of attacks that provide open source code Spark RAT malware.
“The vulnerability activates URL files that lead to malicious activity,” the company said, adding that the malicious files were hosted on an official Ukrainian government website that allows users to download academic certificates.
The chain of attacks involves sending phishing emails from a compromised Ukrainian government server (“doc.osvita-kp.gov(.)ua”) that prompts recipients to restore their academic credentials by clicking on a mined URL embedded in the message.
This results in the download of a ZIP archive containing a malicious Internet Shortcut (.URL) file. The vulnerability is triggered when a victim interacts with a URL file by right-clicking, deleting, or dragging it to another folder.
The URL file is for establishing connections to a remote server (“92.42.96(.)30”) to download additional payloads, including the Spark RAT.
“Additionally, executing the sandbox caused a warning about an attempt to transfer the NTLM (NT LAN Manager) hash over the SMB (Server Message Block) protocol,” ClearSky said. “Once the NTLM Hash is obtained, an attacker can perform a Pass-the-Hash attack to identify himself as the user associated with the captured hash without having to enter the corresponding password.”
Ukraine’s Computer Emergency Response Team (CERT-UA) linked the activity to a likely Russian threat it is tracking as UAC-0194.
In recent weeks, the agency also warned that tax-related phishing emails were being used to distribute legitimate remote desktop software called LiteManager, describing the attack campaign as financially motivated and launched by a threat called UAC-0050.
“Accountants of enterprises whose computers work with remote banking systems are in a special risk zone,” CERT-UA warned. “In individual cases, as evidenced by the results of computer forensic studies, from the moment of the primary attack to the moment of the theft of funds, no more than an hour can pass.”