Exploits Targeting Microsoft NTLM Authentication Detected

Recent security reports have indicated that vulnerabilities in Microsoft's NTLM authentication protocol are being actively exploited in the wild. Cybercriminals are reportedly intercepting NTLM hashes and misusing them for unauthorized access to systems. This alarming trend has garnered attention from cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) in the United States.

The specific vulnerability, identified as "NTLM Hash Disclosure Spoofing," was addressed by Microsoft in a series of Windows updates released in March. The flaw allows unauthorized users to execute spoofing attacks by manipulating file names or paths within Windows NTLM, thereby compromising system security. Microsoft characterized the risk associated with this vulnerability as medium, with a CVSS score of 6.5, and initially assessed that exploitation was less likely.

However, cybersecurity researchers from Check Point reported that attacks exploiting this vulnerability began on March 19. The targets of these attacks have primarily included governmental and private organizations in Poland and Romania. The attackers utilized emails containing links to Dropbox that led to archives filled with files designed to exploit multiple security vulnerabilities, including CVE-2025-24054. This allowed the extraction of NTLMv2 Security Support Provider (SSP) hashes.

These NTLM relay attacks fall under the broader category of Man-in-the-Middle (MitM) attacks, where the attackers do not need to crack passwords directly. Instead, they capture the NTLM hash and relay it to authenticate themselves as legitimate users on another service. This method has become a favored tactic among cybercriminals due to its effectiveness.

The global attacks observed later involved the use of maliciously crafted .library-ms files that redirected NTLM hashes to the attackers. This granted them a MitM position, enabling them to compromise vulnerable systems easily. The exploit is triggered when the compromised .zip archive is unpacked, and even minimal user interaction--such as right-clicking, dragging and dropping files, or merely opening a folder containing the manipulated file--can result in the leakage of NTLM hashes.

In light of these developments, IT administrators are urged to prioritize the installation of security updates, as Microsoft has already released patches aimed at closing these vulnerabilities during the March Patch Tuesday. Prompt action is essential even when the perceived severity of the vulnerabilities is classified as medium.