A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chain involves phishing emails containing links to compromised Ukrainian government websites, leading to the download of a ZIP archive with a malicious URL file. When interacted with, this file triggers the vulnerability and downloads additional payloads, including the Spark RAT malware. The attack also enables pass-the-hash attacks for unauthorized user authentication. Ukrainian CERT has attributed this activity to a threat actor known as UAC-0194. Author: AlienVault
Related Tags:
pass-the-hash
cve-2024-43451
Spark RAT
T1566.001
T1053.005
T1070.004
Zero-Day
T1547.001
NTLM
Associated Indicators:
928CDEF8FB7C2BA9AA96AB726D74AA7A18B032102D9EC4ED00E7559F98C1BDF9
AAC3F49B8C875CA842F96DD6DDE194102944907A956FAD1FF1CFF14C64AAF2E0
AD10AAAC2661B2DD17EF586A2BF8F3DCA7A82ABDA2580DBD3ACA2D52CC5460AE
6EC7F86CC19DF1FEF8063242EF6861355CC7ED25A669DE842E1CDA7332ECA343
34073F2055002791ED3CAD21BE0E94B33FF4345EAB8A5E7801DFDAFA7CC2FB99
994FA6D6B44379A8271E0936CF2A2E898DE4F720AB8C1FEC98BE674F20DF883D
5499A4BF696FDBBE41CDC2BC9EFAE2DF93306A135643A3651701C5CA57570EB7
D6D77204740BD3BDD2FD5E918A7BA9134C1D7D10EB3D6972749009DD50DF6CC8
8CF24FE1384CA8EA763081B78FD14995704BBD73A871EBE1C362053767AEEC20