The hacking group known as TA577 has recently shifted tactics by using phishing emails to steal NT LAN Manager (NTLM) authentication hashes to perform account hijacks.
TA577 is considered an initial access broker (IAB), previously associated with Qbot and linked to Black Basta ransomware infections.
Email security firm Proofpoint reports today that although it has seen TA577 showing a preference for deploying Pikabot recently, two recent attack waves demonstrate a different tactic.
Distinct TA577 campaigns launched on February 26 and 27, 2024, disseminated thousands of messages to hundreds of organizations worldwide, targeting employees' NTLM hashes.
NTLM hashes are used in Windows for authentication and session security and can be captured for offline password cracking to obtain the plaintext password. Read More..