On March 11 - Patch Tuesday - Microsoft rolled out its usual buffet of bug fixes. Just eight days later, miscreants had weaponized one of the vulnerabilities, using it against government and private sector targets in Poland and Romania.
The Windows flaw in question was CVE-2025-24054, an NTLM hash-leaking vulnerability that Microsoft rated as "less likely" to be exploited. Attackers begged to differ and built malware that abused the bug, according to researchers at Check Point.
Apple patches two zero-days
Last Wednesday, Apple pushed out iOS 18.4.1 and iPadOS 18.4.1 to patch two zero-day vulnerabilities that it says were exploited in "extremely sophisticated" attacks against targeted individuals.
The first fix addresses a memory corruption issue in CoreAudio, which processes audio streams. Apple and Google's Threat Analysis Group jointly reported the bug, which could lead to arbitrary code execution when handling a maliciously crafted media file.
The second patch addresses a flaw in the Return Pointer Authentication Code (RPAC), part of Apple's mechanism for blocking pointer manipulation attacks. According to Cupertino, an attacker with arbitrary read and write access "may be able to bypass Pointer Authentication." Apple mitigated the issue by removing the vulnerable code.
Specifically, the vulnerability can be exploited to leak a victim's Net-NTLMv2 or NTLMv2-SSP hash over the network. According to Check Point, miscreants can "attempt to brute-force the hash offline or perform relay attacks," and impersonate the user to access stuff and perform actions as them.
In the initial wave of attacks, phishing emails lured victims to download a Dropbox-hosted ZIP archive called xd.zip. Inside were four booby-trapped files, including a .library-ms file that exploited CVE-2025-24054. Simply unzipping the archive - or in some cases, just viewing the folder in Windows Explorer - was enough to trigger an outbound SMB authentication attempt, leaking the victim's Net-NTLMv2 hash to a remote server controlled by the attackers.
The Check Point researchers observed that stolen NTLM hashes were exfiltrated to a specific IP address: 159.196.128[.]120 – an address previously flagged by HarfangLab in January as linked to APT28, aka the Russia-backed Fancy Bear hacking group. However, there's no further information directly associating this IP with the group, the security shop notes.
- Patch management still seemingly abysmal because no one wants the job
- Psst, hackers. Just go for the known vulnerabilities
- Free Blue Screens of Death for Windows 11 24H2 users
- Windows Server Update Services live to patch another day
By March 25, attackers were no longer relying solely on open ZIP archives and had begun emailing standalone .library-ms files directly to targets. According to Microsoft, this exploit can be triggered with minimal user interaction, such as selecting (single-clicking) or inspecting (right-clicking) the file.
That malware campaign quickly went international, with around 10 separate campaigns observed by March 25, all aimed at harvesting NTLMv2 hashes. The stolen credentials were sent to attacker-controlled SMB servers located in Russia, Bulgaria, the Netherlands, Australia, and Turkey.
"This rapid exploitation highlights the critical need for organizations to apply patches immediately and ensure that NTLM vulnerabilities are addressed in their environments," Check Point reported.
"The minimal user interaction required for the exploit to trigger and the ease with which attackers can gain access to NTLM hashes make it a significant threat, especially when such hashes can be used in pass-the-hash attacks." ®
