Microsoft rated this bug as low exploitability. Miscreants weaponized it in just 8 days
- Reference: 1745257390
- News link: https://www.theregister.co.uk/2025/04/21/microsoft_apple_patch/
- Source link:
The Windows flaw in question was [1]CVE-2025-24054 , an NTLM hash-leaking vulnerability that Microsoft [2]rated as "less likely" to be exploited. Attackers begged to differ and built malware that abused the bug, according to researchers at Check Point.
Apple patches two zero-days
Last Wednesday, Apple pushed out [3]iOS 18.4.1 and iPadOS 18.4.1 to patch two zero-day vulnerabilities that it says were exploited in "extremely sophisticated" attacks against targeted individuals.
The first fix addresses a memory corruption issue in CoreAudio, which processes audio streams. Apple and Google's Threat Analysis Group jointly reported the bug, which could lead to arbitrary code execution when handling a maliciously crafted media file.
The second patch addresses a flaw in the Return Pointer Authentication Code (RPAC), part of Apple's mechanism for blocking pointer manipulation attacks. According to Cupertino, an attacker with arbitrary read and write access "may be able to bypass Pointer Authentication." Apple mitigated the issue by removing the vulnerable code.
Specifically, the vulnerability can be exploited to leak a victim's Net-NTLMv2 or NTLMv2-SSP hash over the network. According to Check Point, miscreants can "attempt to brute-force the hash offline or perform relay attacks," and impersonate the user to access stuff and perform actions as them.
In the initial wave of attacks, phishing emails lured victims to download a Dropbox-hosted ZIP archive called xd.zip. Inside were four booby-trapped files, including a .library-ms file that exploited CVE-2025-24054. Simply unzipping the archive - or in some cases, just viewing the folder in Windows Explorer - was enough to trigger an outbound SMB authentication attempt, leaking the victim's Net-NTLMv2 hash to a remote server controlled by the attackers.
The Check Point researchers [4]observed that stolen NTLM hashes were exfiltrated to a specific IP address: 159.196.128[.]120 – an address previously flagged by HarfangLab in January as linked to APT28, aka the Russia-backed Fancy Bear hacking group. However, there's no further information directly associating this IP with the group, the security shop notes.
[5]Patch management still seemingly abysmal because no one wants the job
[6]Psst, hackers. Just go for the known vulnerabilities
[7]Free Blue Screens of Death for Windows 11 24H2 users
[8]Windows Server Update Services live to patch another day
By March 25, attackers were no longer relying solely on open ZIP archives and had begun emailing standalone .library-ms files directly to targets. According to Microsoft, this exploit can be triggered with minimal user interaction, such as selecting (single-clicking) or inspecting (right-clicking) the file.
That malware campaign quickly went international, with around 10 separate campaigns observed by March 25, all aimed at harvesting NTLMv2 hashes. The stolen credentials were sent to attacker-controlled SMB servers located in Russia, Bulgaria, the Netherlands, Australia, and Turkey.
[9]
"This rapid exploitation highlights the critical need for organizations to apply patches immediately and ensure that NTLM vulnerabilities are addressed in their environments," Check Point reported.
[10]
"The minimal user interaction required for the exploit to trigger and the ease with which attackers can gain access to NTLM hashes make it a significant threat, especially when such hashes can be used in pass-the-hash attacks." ®
Get our [11]Tech Resources
[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
[2] https://www.theregister.com/2025/03/12/patch_tuesday/
[3] https://support.apple.com/en-us/122282
[4] https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
[5] https://www.theregister.com/2024/07/25/patch_management_study/
[6] https://www.theregister.com/2015/02/23/hp_hack_vulnerable_threat_study/
[7] https://www.theregister.com/2025/04/16/microsofts_latest_windows_updates/
[8] https://www.theregister.com/2025/04/08/microsoft_wsus_extended_support/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aAbACjQbt4g4drLco69tSAAAAQA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAbACjQbt4g4drLco69tSAAAAQA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
Can be done faster than 8 days with a proper team.
"In the initial wave of attacks, phishing emails lured victims to download a Dropbox-hosted ZIP archive called xd.zip. Inside were four booby-trapped files, including a .library-ms file that exploited CVE-2025-24054. Simply unzipping the archive - or in some cases, just viewing the folder in Windows Explorer . . . "
Great Maker, there are still people that stupid to fall for such a thing? Will wonders never cease.
Two things are infinite: the universe and human stupidity; and I’m not sure about the universe
-Einstein
There will ALWAYS be people falling for that, or similar. But zero-click is more elegant, more expensive as well.
Of course. Financial institutions in the UK regularly train their users to click on things in unsolicited emails. It's reasonable to believe that the marketroids who send out this stuff will fall for it themselves.
..that Microsoft rated as "less likely" to be exploited. Attackers begged to differ and built malware that abused the bug,..
In what way are they begging to differ?
"Less likely" never has meant "will not happen" and nor does it imply anything about how long it will take for something to happen.
This is a salutary lesson about computer security and, possibly, the English language.
They were speaking "American", not English like the rest of the world. Poor Yankees can't even spell properly!
"American" means hearing or reading exactly what you want to hear, and facts be damned about what was actually said. If need be, engage selective hearing to only detect a soundbite out of a 5 minute monologue, and think that is the "meaning" of it all. Especially if doing otherwise involves a hard dose of reality dashing one's dreams and fantasies of power and control over the world.
I always hated ms-libraries
Adding another layer of "trust MS to pre-organize your whatever wherever", and hiding/clouding the actual place where the files reside.
And now it is another exploit path. Very well done MS-Marketing with weird ideas to add to the explorer rarely anyone finds useful but rather confusing.
Or does anyone know a useful way to use those libraries? I mean, for real?
We really need better tools that nirsoft to get rid of such crap. Official, to control all those weird explorer extensions in a transparent way globally - without relying on cloud of course.
Re: I always hated ms-libraries
I used to use one to merge the Windows-mandated Documents folder you can't avoid stuff ending up in or properly move, with my actual documents folder. Fight cruft with cruft.
(These days I've managed to largely ignore the former, whatever's in there sure as hell ain't my documents)
Re: I always hated ms-libraries
I created a separate "My Documents" since way too many programs and games clutter "My Documents" with crap. On my main computer over 100 folders with either games or programs believing they have to put their config files there. And let's not forget the "My Documents\EA games" (just one of many similar examples) with several sub-folders each. What did MS define %APPDATA% and %LOCALAPPDATA% for? To be ignored. Including MS-products ignoring it.
%appdata%
Its there to allow you to install apps that can't go elsewhere or need admin right to install
Only 8 days.
NTLM - Never Too Late, Microsoft