When Microsoft stamped its latest security vulnerability as low risk, they probably didn’t expect hackers to treat it like Black Friday at a bug bazaar.
On March 11—just another Patch Tuesday in corporate IT land—Microsoft shipped its standard fix-it-all update package. Most admins yawned, logged the change window, and maybe even treated themselves to an early lunch. Hidden among the gigabytes of fixes was CVE-2025-24054, a “meh” Windows bug concerning NTLM hash leakage. Microsoft, in its infinite wisdom, rated the flaw as “less likely” to be exploited—essentially waving off the threat. Hackers worldwide, evidently, did not get the memo. Within eight days, attackers had not only discovered but fully weaponized the loophole, launching live campaigns against government and private sector targets in Poland and Romania.
If there is a gold medal for “speedrunning” a new exploit, the miscreants behind this particular adventure surely just set a world record.
This exploits classic corporate inertia: everyone is busy, patching is annoying, and a “low risk” label only makes it easier to put off. But this bug allowed attackers to leak Net-NTLMv2 or NTLMv2-SSP hashes—essentially snatching up an ID badge that could be duplicated later.
According to Check Point’s report, hackers didn’t waste any time figuring out how to use the bug for “phishing with style.” In the initial attacks, victims received innocuous-looking phishing emails baiting them to download a Dropbox-hosted ZIP file blandly named
No complex malware, no user paranoia required—just click, unzip, and oops, you've sent your digital DNA to a mystery location.
Modern attackers are only too happy to find new ways to exploit it. Brute-forcing NTLM hashes, launching relay attacks, or pulling off the infamous “pass-the-hash”—the menu never changes, but the kitchen stays busy.
The more benign the rating, the more it encourages a patch-it-later attitude. This complacency is exactly what attackers bet on, and in this episode, they won.
By March 25, just two weeks after Patch Tuesday, attackers had already upgraded their game: instead of ZIPs, victims received weaponized
The campaign rapidly expanded into roughly ten distinct attacks targeting the lucrative world of NTLM hash harvesting. Attacker-controlled SMB servers bloomed across Russia, Bulgaria, the Netherlands, Australia, and Turkey. Like international franchises of cybercrime, each one specialized in collecting and collating the keys to the kingdom: your domain credentials.
The especially insidious aspect? The attack didn’t require elaborate malware, rootkit-level access, or even masterful social engineering. A simple phishing email with an unfamiliar file type, a preview in Windows Explorer, and—voila—the attacker is halfway through your digital defenses. The "minimal user interaction" aspect was so subtle that most security awareness campaigns wouldn't even begin to cover it.
Attackers are organized, funded, and have media monitoring set up to swoop on every fresh patch notification. If you wait, you’re on their schedule.
Check Point summed up the lesson loudly and clearly in their post-mortem: “The rapid exploitation highlights the critical need for organizations to apply patches immediately and ensure NTLM vulnerabilities are addressed.” That statement isn’t just CISO wallpaper. It’s survival advice.
Last Wednesday, in a blast of urgency rarely seen outside of iPhone launch day, Apple raced out iOS 18.4.1 and iPadOS 18.4.1, patching not one, but two zero-day vulnerabilities. The company described the attacks in Apple-speak as “extremely sophisticated”—a phrase usually reserved for when threat actors could outwit Bond villains.
The star of this show: a memory corruption bug in CoreAudio and a flaw in Return Pointer Authentication Code (RPAC), the latter safeguarding against pointer manipulation. Apple, together with Google’s Threat Analysis Group, found that attackers could lure someone to play a malicious media file, triggering arbitrary code execution. In plainer terms: open the wrong MP3, and your iPhone could become a spy device.
Apple’s fix? A surgical removal of the offending code from RPAC (blip! gone) and a fast patch for CoreAudio. While the two issues appeared to have been used in highly targeted attacks, the message was clear: zero-days don't sleep—and neither should patch management.
Cybersecurity in 2025 is a chess match played at light speed. Labels like “low risk” are sometimes little more than hopes and prayers; attackers operate in the land of “when” not “if.”
It’s tempting to wish for a world where most vulnerabilities are shrugged off by attackers as too rare, too fiddly, or too slow to make a difference. In reality, exploit kits are fire-and-forget, nation-states have security budgets rivaling small countries, and the line between “low” and “critical” is measured in hours, not months.
As the cybersecurity world learned—again—it takes only a single click, a casual glance at a file, or a single email slipped past a spam filter to ignite what Microsoft thought could wait for later. Next Patch Tuesday, spare a moment for the “boring” vulnerabilities. Hackers sure will.
Source: theregister.com Eight days from patch to exploitation for Microsoft flaw
Turning "Low Risk" into Worldwide Mayhem: The Unlikely Rise of CVE-2025-24054
On March 11—just another Patch Tuesday in corporate IT land—Microsoft shipped its standard fix-it-all update package. Most admins yawned, logged the change window, and maybe even treated themselves to an early lunch. Hidden among the gigabytes of fixes was CVE-2025-24054, a “meh” Windows bug concerning NTLM hash leakage. Microsoft, in its infinite wisdom, rated the flaw as “less likely” to be exploited—essentially waving off the threat. Hackers worldwide, evidently, did not get the memo. Within eight days, attackers had not only discovered but fully weaponized the loophole, launching live campaigns against government and private sector targets in Poland and Romania.If there is a gold medal for “speedrunning” a new exploit, the miscreants behind this particular adventure surely just set a world record.
The Anatomy of a Hash-Leaking Horror
Before we get lost in the surreality of security labels, let’s dissect what exactly went wrong. CVE-2025-24054 is what the pros call an NTLM hash-leaking bug. For the layperson, NTLM hashes are cryptographic representations of your authentication secrets—your digital fingerprints. Get them into the wrong hands, and attackers can potentially impersonate you or rummage through your network at leisure.This exploits classic corporate inertia: everyone is busy, patching is annoying, and a “low risk” label only makes it easier to put off. But this bug allowed attackers to leak Net-NTLMv2 or NTLMv2-SSP hashes—essentially snatching up an ID badge that could be duplicated later.
According to Check Point’s report, hackers didn’t waste any time figuring out how to use the bug for “phishing with style.” In the initial attacks, victims received innocuous-looking phishing emails baiting them to download a Dropbox-hosted ZIP file blandly named
xd.zip. Inside, four cunningly rigged files lurked. Among them: a .library-ms file weaponized with CVE-2025-24054. All it took to fall victim was unzipping—or, in some Windows configurations, merely previewing—the archive. Instantly, a surreptitious outbound authentication attempt was made, leaking the precious NTLM hash straight to a remote server under attacker control.No complex malware, no user paranoia required—just click, unzip, and oops, you've sent your digital DNA to a mystery location.
NTLM: The Hash That Refuses to Die
Let’s pause and pour one out for NTLM, Microsoft’s authentication protocol first devised in the mid-1990s—an era when “online banking” was sci-fi, and “cybersecurity” just meant not writing your password on a sticky note. Despite being steadily deprecated in enterprise circles (Kerberos, SAML, and OAuth have tried to usurp it for years), NTLM continues to linger like a musty old sofa: useful in a pinch, but woefully outdated and a magnet for trouble.Modern attackers are only too happy to find new ways to exploit it. Brute-forcing NTLM hashes, launching relay attacks, or pulling off the infamous “pass-the-hash”—the menu never changes, but the kitchen stays busy.
The Blame Game: Microsoft, Attackers, and the “Exploitability” Illusion
Let’s linger on the rating that started it all: “less likely to be exploited.” The phrase might as well come pre-printed on ironic t-shirts for incident response teams. While Microsoft uses a detailed risk matrix to assess exploitability, reality likes to toss curveballs—especially when bugs can be turned into nation-state-grade phishing kits in under a week.The more benign the rating, the more it encourages a patch-it-later attitude. This complacency is exactly what attackers bet on, and in this episode, they won.
By March 25, just two weeks after Patch Tuesday, attackers had already upgraded their game: instead of ZIPs, victims received weaponized
.library-ms files directly in their inbox. It turns out, you didn’t even need to double-click—just single-clicking or right-clicking the file would trigger the exploit. Talk about efficiency. At this point, even the user’s attention span wasn’t safe.Attribution, Cyber Espionage, and Familiar Foes
The hash-leaking campaign wasn’t just a fly-by-night spam operation, either. Check Point tracked the digital fingerprints of the campaign and found exfiltrated credentials being beamed to specific, previously flagged IP addresses. One such address, 159.196.128[.]120, had already been linked by French security researchers at HarfangLab to APT28 (aka Fancy Bear)—the Russia-backed hacking group with a cyber rap sheet longer than War and Peace. While Check Point stopped short of directly blaming APT28, the connection is enough to put any IT manager on high alert.The campaign rapidly expanded into roughly ten distinct attacks targeting the lucrative world of NTLM hash harvesting. Attacker-controlled SMB servers bloomed across Russia, Bulgaria, the Netherlands, Australia, and Turkey. Like international franchises of cybercrime, each one specialized in collecting and collating the keys to the kingdom: your domain credentials.
From Poland and Romania to the World: Why Every Organization Should Lose Sleep
It’s tempting to view attacks against governments in faraway lands as “someone else’s problem”—but the international flavor of the campaign betrays its real intent: large-scale credential harvesting, with a low bar for entry and a global appetite.The especially insidious aspect? The attack didn’t require elaborate malware, rootkit-level access, or even masterful social engineering. A simple phishing email with an unfamiliar file type, a preview in Windows Explorer, and—voila—the attacker is halfway through your digital defenses. The "minimal user interaction" aspect was so subtle that most security awareness campaigns wouldn't even begin to cover it.
The Perpetual Patch Dilemma: How Security Ratings Guide (and Misguide) the World
This story is the poster child for why security teams can’t just patch vulnerabilities based on their vendor’s “exploitability” star ratings. Microsoft, Apple, Google—their risk ratings aren’t fortune-telling. Just because it’s “less likely” doesn’t mean it’s “never.”Attackers are organized, funded, and have media monitoring set up to swoop on every fresh patch notification. If you wait, you’re on their schedule.
Check Point summed up the lesson loudly and clearly in their post-mortem: “The rapid exploitation highlights the critical need for organizations to apply patches immediately and ensure NTLM vulnerabilities are addressed.” That statement isn’t just CISO wallpaper. It’s survival advice.
The Hash Harvesters: Life of a Credential After It’s Stolen
Let’s say your NTLM hash is now sitting on a server somewhere in Bulgaria. What happens next? Well, the menu is as ugly as it gets:- Attackers might crack it offline using brute-force tools, turning your cryptographic gibberish directly into usable admin creds.
- Or, worse yet, relay the hash to a legitimate domain resource via classic SMB relay attacks—sneaking in under the guise of your digital shadow.
- Sometimes, it simply gets bundled into massive, commoditized breach kits and sold on the dark web, ready to be used when you least expect it.
The Apple of Our Security Eye: A Side Note from Cupertino
While Microsoft was mopping up an accidental international hackathon, Apple had its own hands full—albeit with a very different set of targets.Last Wednesday, in a blast of urgency rarely seen outside of iPhone launch day, Apple raced out iOS 18.4.1 and iPadOS 18.4.1, patching not one, but two zero-day vulnerabilities. The company described the attacks in Apple-speak as “extremely sophisticated”—a phrase usually reserved for when threat actors could outwit Bond villains.
The star of this show: a memory corruption bug in CoreAudio and a flaw in Return Pointer Authentication Code (RPAC), the latter safeguarding against pointer manipulation. Apple, together with Google’s Threat Analysis Group, found that attackers could lure someone to play a malicious media file, triggering arbitrary code execution. In plainer terms: open the wrong MP3, and your iPhone could become a spy device.
Apple’s fix? A surgical removal of the offending code from RPAC (blip! gone) and a fast patch for CoreAudio. While the two issues appeared to have been used in highly targeted attacks, the message was clear: zero-days don't sleep—and neither should patch management.
The Takeaway: No Bug is Too Small to Blow Wide Open
So, what did we learn from March's great security sweepstakes? If you’re Microsoft, you might now hesitate before calling any bug “unlikely to be exploited.” If you’re running enterprise Windows, you’re probably double-checking your patch pipeline—and your NTLM settings. And if you’re a user, you now have yet another bullet point for the “Why don’t I just buy a Chromebook?” argument.Cybersecurity in 2025 is a chess match played at light speed. Labels like “low risk” are sometimes little more than hopes and prayers; attackers operate in the land of “when” not “if.”
It’s tempting to wish for a world where most vulnerabilities are shrugged off by attackers as too rare, too fiddly, or too slow to make a difference. In reality, exploit kits are fire-and-forget, nation-states have security budgets rivaling small countries, and the line between “low” and “critical” is measured in hours, not months.
Patching, Education, and Rethinking Trust: Your Survival Plan
- Patch immediately: Don’t sleep on it. Don’t wait for a change control meeting. Deploy and verify.
- Disable or phase out NTLM: Its time as the default authentication protocol should have ended in the Clinton administration.
- Block dangerous file types at the email gateway: If your organization doesn’t use
.library-msfiles, block them at the door. - Educate users about phishing: And maybe, just maybe, teach them to be suspicious of mysterious ZIPs named
xd.zip. - Monitor for credential exfiltration: Set up alerts for unusual outbound SMB traffic or hash harvesting attempts, even if you don’t think you’re an obvious target.
The Final Word: Don't Let "Low Likelihood" Lull You
This episode will likely enter the annals of security history as one of those facepalm moments: a supposedly unimportant bug, seized on by determined attackers, leveraged into international havoc in a matter of days. No one is immune. Miscreants don’t read the same risk rankings as vendors.As the cybersecurity world learned—again—it takes only a single click, a casual glance at a file, or a single email slipped past a spam filter to ignite what Microsoft thought could wait for later. Next Patch Tuesday, spare a moment for the “boring” vulnerabilities. Hackers sure will.
Source: theregister.com Eight days from patch to exploitation for Microsoft flaw
Last edited:
