Hackering Group TA577 Stealing NTLM Authentication Hashes, Allowing For Privleges Escalation

TA577, a hacking group, has shifted tactics to using phishing emails for NTLM authentication hash theft, enabling account hijacks. Formerly linked to Qbot and Black Basta ransomware, TA577 now acts as an initial access broker (IAB). Proofpoint reports recent TA577 attacks deploying Pikabot, diverging from previous tactics. On February 26 and 27, 2024, TA577 launched distinct campaigns targeting NTLM hashes of employees across hundreds of organizations worldwide. NTLM hashes, crucial for Windows authentication, facilitate offline password cracking and "pass-the-hash" attacks, enabling privilege escalation, account hijacking, data access, security evasion, and network lateral movement. Read more...