A Windows vulnerability that exposes NTLM hashes using .library-ms files is now actively exploited by hackers in phishing campaigns targeting government entities and private companies. In attacks seen by Check Point, phishing emails were sent to entities in Poland and Romania that included a Dropbox link to a ZIP archive, containing a .library-ms file. Simply downloading the .library-ms file was enough to trigger NTLM authentication to the remote server, demonstrating that archives were not required to exploit the flaw. The malicious archive also contains three more files, namely 'xd.url,' 'xd.website,' and 'xd.link,' which leverage older NTLM hash leak flaws and are most likely included for redundancy in case the 'library-ms' method fails. NTLM (New Technology LAN Manager) is a Microsoft authentication protocol that uses challenge-response negotiation involving hashes instead of transmitting plaintext passwords to authenticate users. Capturing NTLM hashes could open the way to authentication bypass and privilege escalation, so even though CVE-2025-24054 is only evaluated as a "medium" severity issue, its potential consequences are grave. "On March 25, 2025, Check Point Research discovered a campaign targeting companies around the world, distributing these files without being zipped," explains Check Point. When Windows connects to the remote SMB server, it will attempt to authenticate via NTLM, allowing the attacker to capture the user's NTLM hashes. However, Check Point researchers report having observed active exploitation activity for CVE-2025-24054 only a few days after patches became available, culminating between March 20 and 25, 2025. While NTLM avoids transmitting plaintext passwords, it is no longer considered secure due to vulnerabilities like replay attacks and brute-force cracking of captured hashes. In a later campaign, Check Point discovered phishing emails that contained .library-ms attachments, without an archive. It is advised that all organizations should install the March 2025 updates and turn off NTLM authentication if it is not required. When extracting a ZIP file that contains a .library-ms file, Windows Explorer will interact with it automatically, triggering the CVE-2025-24054 flaw and causing Windows to make an SMB connection to the URL specified in the file. In this phishing attack, the library-ms file was created to contain a path to a remote SMB server under the attacker's control.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 17 Apr 2025 19:25:08 +0000