Bilgesu Erdem
The hacker collective, known as ToddyCat, has been observed showcasing an expanded array of tools for data theft, revealing more about their approach and expertise. Originally brought to light by Kaspersky last year for their activities against major targets in Europe and Asia, the group has unveiled a broader range of software for tasks ranging from maintaining their presence on a network to handling files and introducing more malicious payloads.
ToddyCat’s latest tools include a set of loaders for deploying the Ninja Trojan, the LoFiSe tool to pinpoint and gather significant files, and utilities like a DropBox uploader and Pcexter for moving stolen data to platforms such as Dropbox and Microsoft OneDrive. The group hasn’t shied away from utilizing custom scripts specifically for data harvesting, using backdoors that engage via UDP packets, Cobalt Strike for further exploitation post-initial breach, and even misused domain admin credentials for smoother lateral shifts within networks.
Kaspersky’s observations note: “Data collecting script variants stand out, created to transfer files to set directories without compressing them. They’d execute these scripts on distant hosts using conventional remote task techniques. Afterwards, manual transfer of collected files to the extraction host would take place, using tools like the xcopy utility, with compression coming in via the 7z binary.”
This revelation coincides with Check Point’s disclosure about Asian government and telecom sectors being under attack from 2021. Intriguingly, these attackers use a plethora of temporary malware to sidestep detection and roll out subsequent-stage malicious software. Notably, some infrastructure used in these activities aligns with that linked to ToddyCat.
Microsoft Reinforces Windows Security
Shifting focus from hackers to defenders, Microsoft has declared its intent to phase out NT LAN Manager (NTLM) from Windows 11. Instead, the company aims to enhance the Kerberos authentication protocol, which has been a default since 2000. New introductions for Windows 11 comprise Initial and Pass Through Authentication Using Kerberos (IAKerb) and an inbuilt Key Distribution Center (KDC) for Kerberos. These functionalities will extend Kerberos support and refine client authentication across varied network layouts.
While NTLM’s history stretches back to the 1990s, it has been increasingly overshadowed by Kerberos, especially post-Windows 2000. Crucially, Kerberos focuses on encryption, as opposed to NTLM’s dependence on password hashing. Given NTLM’s security gaps and susceptibility to relay attacks, Microsoft is now concentrating on limiting NTLM’s use in its components, encouraging a broader Kerberos adoption.
Matthew Palko, a senior figure at Microsoft, stated that the adaptations would be default and mostly wouldn’t need any specific configurations. However, NTLM would remain as a backup to uphold ongoing compatibility.
Digital landscapes are in flux, with hacker collectives like ToddyCat unveiling newer tools even as tech giants like Microsoft are striving for heightened security. With threats continually evolving, the emphasis on proactive defense mechanisms has never been more vital. As hackers get creative, defenders too are stepping up their game, heralding an era where the tussle between data breach attempts and security fortifications will only intensify.
