Microsoft has reportedly patched a zero-day vulnerability in Windows, which has been exploited in ongoing cyberattacks targeting Ukrainian organizations. The vulnerability, named as CVE-2024-43451, is an NTLM Hash Disclosure spoofing flaw that was discovered by ClearSky security researchers. Suspected Russian hackers have used this flaw to launch phishing campaigns aimed at Ukrainian entities.
CVE-2024-43451: Understanding the Vulnerability
The CVE-2024-43451 vulnerability exists in Microsoft’s NTLM authentication protocol and can be exploited to extract a logged-in user’s NTLMv2 hash. This type of hash serves as a form of password that attackers can potentially use to impersonate users or gain unauthorized access to systems. By luring users into interacting with malicious files, threat actors can obtain NTLMv2 hashes without the users’ awareness. Once obtained, these hashes can be used in “pass-the-hash” attacks or cracked to reveal the plaintext passwords, potentially giving attackers unrestricted access to systems.
ClearSky’s Discovery and Attack Details
ClearSky initially observed the exploitation of this vulnerability in June 2024. The security researchers identified phishing emails designed to leverage the CVE-2024-43451 flaw, with the goal of compromising Ukrainian targets. The emails contained hyperlinks that, once clicked, would download a malicious Internet shortcut file. This file was hosted on a server previously compromised by hackers, specifically one belonging to the Kamianets-Podilskyi City Council’s Department of Education and Science.
According to ClearSky, interacting with this Internet shortcut file triggers the vulnerability in various ways, including right-clicking, deleting, or even simply moving the file. When triggered, the malicious file connects to a remote server controlled by the attackers, initiating the download of malicious payloads. One of the primary payloads observed was SparkRAT, an open-source remote access tool (RAT) that allows attackers to remotely control compromised systems across multiple platforms.
Threat Actor Profile and Attribution
During their investigation, ClearSky shared its findings with Ukraine’s Computer Emergency Response Team (CERT-UA), which later attributed these attacks to a suspected Russian threat group known as UAC-0194. This group has been implicated in various cyber campaigns against Ukraine and is believed to be state-sponsored, further intensifying the cyber conflict between Russia and Ukraine.
The attackers were reportedly leveraging the Server Message Block (SMB) protocol in attempts to extract NTLM hashes from targeted systems. SMB, a protocol commonly used for file sharing in Windows environments, is frequently targeted by threat actors to facilitate “pass-the-hash” attacks. These types of attacks allow hackers to use stolen password hashes to gain unauthorized access without needing to crack them into plaintext, making the attacks both efficient and difficult to detect.
Microsoft’s Response and Patch Deployment
Microsoft responded to the discovery by issuing a security patch for CVE-2024-43451 as part of its November 2024 Patch Tuesday release. The tech giant confirmed ClearSky’s findings, emphasizing that user interaction with a malicious file is required to exploit the vulnerability successfully.
In its advisory, Microsoft explained that minimal interaction with the malicious file, such as single-clicking or right-clicking, could trigger the vulnerability, leading to NTLM hash disclosure. This warning underscores the stealthy nature of the exploit, as many users might unknowingly trigger it through routine file interactions.
The vulnerability affects all supported Windows versions, including Windows 10 and later and Windows Server 2008 and newer releases. Microsoft urges users and system administrators to promptly install the November security updates to protect against this and other vulnerabilities disclosed in the latest patch cycle.
CISA’s Involvement and Federal Compliance Requirements
In addition to Microsoft’s response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-43451 to its Known Exploited Vulnerabilities Catalog. This inclusion mandates that federal agencies secure vulnerable systems on their networks by December 3, 2024, as outlined by Binding Operational Directive (BOD) 22-01. This directive requires government entities to address vulnerabilities that pose significant risks to federal infrastructure.
CISA warns that vulnerabilities like CVE-2024-43451 are common targets for malicious actors and represent substantial risks to organizations across various sectors. Given the active exploitation of this vulnerability, CISA’s inclusion in its catalog highlights the urgency for swift action to mitigate the associated risks.
Protecting Against NTLM Spoofing Attacks
As NTLM-based attacks have become increasingly prevalent, organizations and individual users must adopt proactive measures to secure their systems against NTLM spoofing vulnerabilities. Here are some recommended actions:
Install Security Updates Promptly: Regularly installing Microsoft’s security patches is critical, as these updates contain fixes for known vulnerabilities that can be exploited by attackers.
Implement Network Segmentation and Restrict SMB Traffic: By segmenting networks and restricting SMB traffic, organizations can limit attackers’ ability to move laterally and exploit vulnerabilities across multiple systems.
Educate Users on Phishing Risks: Since phishing remains a primary delivery method for exploiting CVE-2024-43451, educating employees and users about phishing tactics and suspicious emails can reduce the risk of inadvertent file interactions.
Deploy Multi-Factor Authentication (MFA): MFA adds an extra layer of security, even if attackers successfully steal NTLM hashes, making it harder for them to impersonate users without access to additional verification methods.
Conclusion
The exploitation of CVE-2024-43451 in targeted attacks against Ukrainian entities highlights the evolving tactics of threat actors who continue to use zero-day vulnerabilities to achieve their goals. As cyber conflict escalates, especially with the involvement of state-sponsored groups, organizations must stay vigilant, apply timely patches, and educate users to minimize exposure to these types of security flaws.
With both Microsoft and CISA emphasizing the importance of addressing this vulnerability, entities across public and private sectors must act quickly to secure their networks, ensuring they are protected from this and other emerging cyber threats.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Apple’s “Inactivity Reboot” Boosts iPhone Security by Blocking Access to Encrypted Data