Posted 3/4/2024, 9:15:19 PM
Hackers Using Phishing Emails to Steal NTLM Hashes and Hijack Windows Accounts
- Hacking group TA577 is using phishing emails to steal NTLM hashes and perform account hijacks
- The phishing emails contain HTML files that trigger connections to external SMB servers, allowing TA577 to capture NTLM hashes
- The stolen hashes can be used to escalate privileges, hijack accounts, access sensitive data, evade security products, and move laterally
- Restricting SMB connections and guest access provides partial mitigation, but additional controls like multi-factor authentication are still needed
- For Windows 11 users, Microsoft has introduced a security feature to block NTLM attacks over SMB