Attacks on Microsoft NTLM authentication observed
Attackers have tapped into Microsoft NTLM hashes and misused them for authentication. CISA, for example, warns against this.
(Image: Erstellt mit KI in Bing Creator von heise online / dmk)
A vulnerability in Microsoft's NTLM authentication is being abused in the wild. By sending manipulated files in emails, malicious actors redirect NTLM hashes, which they can then use to access computers. The US IT security authority CISA, among others, is now warning against this.
Microsoft closed the vulnerability under attack in March with Windows updates. It is an "NTLM Hash Disclosure Spoofing" vulnerability. "External control over a filename or path in Windows NTLM allows unauthorized attackers to perform spoofing over the network", Microsoft describes the leak (CVE-2025-24054, CVSS 6.5, risk "medium"). The company added the assessment that misuse is less likely ("Exploitation less likely").
IT researchers observe attacks
IT security researchers from Checkpoint have observed attacks on this vulnerability since March 19. The target of this malware campaign was the government and private institutions in Poland and Romania. The attackers sent emails to victims containing links to Dropbox. The archives from there contained files abusing multiple vulnerabilities including CVE-2025-24054 to grab NTLMv2 SSP hashes (NTLM Security Support Provider).
Such NTLM relay attacks fall under the category of man-in-the-middle (MitM) attacks, which are used to attack NTLM authentication. Instead of cracking the password, attackers intercept the hash and pass it on to another service to authenticate themselves as a user, the IT researchers explain.
Videos by heise
Maliciously manipulated .library-ms files were used in the attacks that were later observed globally, which redirected the NTLM hashes to the perpetrators, putting them in a man-in-the-middle position and enabling them to compromise the vulnerable systems. The exploit in the files becomes active when the .zip archive is unpacked, and the subsequent attacks were then carried out with unpacked files. According to Microsoft's description, even less user interaction is sufficient to exploit the vulnerability. A right-click, drag'n'drop of files or simply opening a folder with the prepared file enables the NTLM hashes to be exfiltrated. The checkpoint analysis also contains indicators of compromise (IOCs) at the end.
Microsoft already released the update to plug the security leak on the March Patchday. IT managers should ensure that security updates are installed quickly, even if the suspected severity of the gaps closed with them is only "medium".
(dmk)
