NTM Hash Exploit Aims at Poland and Romania Following Patch Release within Days
In a concerning turn of events, several financial institutions and government agencies in the United States, Germany, and Japan have been targeted in a coordinated cyberattack. The attack, which took place between March 19 and March 25, 2025, exploited a vulnerability known as CVE-2025-24054.
This vulnerability affects Windows systems and can be exploited by a specially crafted .library-ms file. Microsoft's patch documentation indicates that the vulnerability can be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file.
The vulnerability, it seems, is a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities. The attackers did not require the user to open or execute the malicious .library-ms file for the NTLM hash leakage to occur. Instead, the NTLMv2-SSP hash is leaked to an attacker-controlled server when the vulnerability is exploited.
Threat actors launched a coordinated campaign targeting institutions in Poland and Romania, delivering malicious .library-ms files via Dropbox links in phishing emails. Once downloaded and extracted, these files triggered NTLM hash leakage without the need for the user to open or execute anything.
The exploit can be triggered using an SMB authentication request initiated by Windows. This means that even navigating to a folder containing the malicious file could potentially expose sensitive NTLM authentication hashes.
The rapid exploitation of this vulnerability just days after Microsoft released a patch on March 11, 2025, underscores the importance of timely system updates. Users are advised to apply the patch as soon as possible to protect their systems from this threat.
As the investigation into this cyberattack continues, more details are likely to emerge. It is crucial for all Windows users to remain vigilant and take necessary precautions to safeguard their systems and data.
Read also:
- Emergency services of the future revealed by Renault with the introduction of the Vision 4Rescue vehicle.
- SonicWall executive Michael Crean discusses the current state of managed security
- Companies exercise prudence towards AI adoption, ensuring secure implementation: Exploring safeguards and strategies.
- Stolen Brain Data of Sinner and Leclerc (Yellow chroma), previously held in China, repurposed for military training purposes.
