CVE-2024-43451

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to the November 2024 security updates

Description This is a spoofing issue in the New Technology LAN Manager (NTLM) protocol that allows attackers to steal NTLMv2 hashes with minimal user interaction. The vulnerability, designated as CVE-2024-43451, was actively exploited by a suspected Russia-linked actor in attacks targeting Ukrainian entities. Exploitation can occur through simple user interaction with a malicious file, such as a URL file, and does not necessarily require the file to be opened. The vulnerability was exploited in campaigns involving phishing emails and malicious .URL files, leading to the deployment of malware like Spark RAT, AsyncRAT, and Remcos RAT. In some instances, the exploitation was observed even before the patch was released, triggered by requests to WebDAV servers. Approximately 1,600 organizations in Colombia were impacted by attacks leveraging this vulnerability. The threat actor, known as Blind Eagle (APT-C-36), has been actively targeting organizations in Colombia and Ecuador since 2018.

Recommendations Apply the November 2024 security updates for all affected Windows systems.