Full Report
PLUS: Navy spy sent to brig for 200 months in brig; Black Axe busted again; Bill aims to crimp ICE apps; and more Infosec In Brief PLUS: Google’s security outfit Mandiant last week released tools that can crack credentials in 12 hours, in the hope that doing so will accelerate the death of an ancient Microsoft security protocol.…
Analysis Summary
# Tool/Technique: Net-NTLMv1 Rainbow Tables (Credential Cracking Enabler)
## Overview
This entry pertains not to a new piece of malware or a direct attack tool, but rather to a dataset (rainbow tables) released by Mandiant designed to facilitate the rapid cracking of credentials authenticated via the outdated and insecure Microsoft Net-NTLMv1 legacy authentication protocol. The purpose of releasing these tools is explicitly to force the deprecation of Net-NTLMv1 by demonstrating its critical vulnerability.
## Technical Details
- Type: Attack Tool / Technique Enabler (Dataset)
- Platform: Systems utilizing Net-NTLMv1 authentication (Windows/Microsoft environments)
- Capabilities: Allows for the decryption/recovery of Net-NTLMv1 hashes into plaintext credentials in under 12 hours using consumer hardware (costing under $600 USD).
- First Seen: The tools/dataset were released "last week" relative to the article date (Sun Jan 18 2026). The protocol itself is ancient (over 20 years old).
## MITRE ATT&CK Mapping
The capabilities enabled by cracking these credentials map primarily to credential access and defense evasion:
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping
- T1003.001 - LSASS Memory (If NTLM hashes are extracted from memory after capture)
- T1110 - Brute Force
- T1110.003 - Password Cracking (The pre-computation via rainbow tables is a form of high-speed offline brute-forcing)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (The pre-computed tables obscure the cracking process)
## Functionality
### Core Capabilities
- **Rapid Hash Recovery:** Enables users to recover plaintext credentials from captured Net-NTLMv1 hashes significantly faster than traditional online cracking methods.
- **Low Resource Requirement:** Can be executed effectively on consumer-grade hardware, lowering the barrier to entry for exploiting this weakness.
### Advanced Features
- **Rainbow Table Usage:** Leverages pre-computed tables specifically targeting the known weaknesses of the Net-NTLMv1 hashing scheme, allowing for near-instant lookup instead of iterative guessing.
## Indicators of Compromise
*(Note: Since this is a tool/dataset designed for defenders to *test* existing weak configurations, specific IoCs for the tool itself are publication details, not operational malware indicators. The key IoC is the configuration itself.)*
- File Hashes: Not specified for the released dataset/tables.
- File Names: Not specified.
- Registry Keys: Not applicable (Configuration issue).
- Network Indicators: Not applicable (Offline cracking capability).
- Behavioral Indicators: Successful recovery implies an attacker has access to captured Net-NTLMv1 exchange data (e.g., via a Man-in-the-Middle attack or sniffing network traffic).
## Associated Threat Actors
- This tool is explicitly released to **Security Professionals/Defenders**. If malicious actors utilize the same publicly released tables, any actor targeting unpatched/unmitigated environments relying on Net-NTLMv1 may leverage this technique.
## Detection Methods
Detection focuses on identifying the vulnerability rather than the cracking tool execution:
- **Signature-based detection:** Detecting the cleartext transmission of Net-NTLMv1 challenged responses (if monitoring network traffic inspecting legacy protocols).
- **Behavioral detection:** Monitoring for large-scale credential cracking attempts against captured hash sets.
- **Configuration Auditing:** Detecting systems configured to allow or require Net-NTLMv1 authentication.
## Mitigation Strategies
- **Prevention Measures:** Disabling the use of the Net-NTLMv1 protocol immediately across the environment.
- **Hardening Recommendations:** Migrating to more secure authentication protocols (e.g., NTLMv2, Kerberos, or modern methods like NTLM over HTTPS or modern domain authentication standards).
## Related Tools/Techniques
- NTLM Relay Attacks (often used to capture the initial Net-NTLMv1 challenge/response).
- Hashcat or John the Ripper configured for NTLM cracking (though the Mandiant release offers a potentially faster, pre-computed method for the specific legacy version).
---
# Tool/Technique: Hacking US Supreme Court Filing System (Unauthorized Access)
## Overview
This refers to the activity of Nicholas Moore, who pleaded guilty to illegally accessing the US Supreme Court's Electronic Document Filing System (SCOTUS PACER substitute) over a 25-day period in 2023. The intent, while not fully detailed publicly, involved unauthorized access often associated with credential theft or data exfiltration in similar high-profile cases.
## Technical Details
- Type: Technique (Unauthorized Access/Hacking)
- Platform: US Supreme Court Electronic Document Filing System (Likely Windows/Web-based infrastructure for PACER/e-filing).
- Capabilities: Gaining unauthorized access to a federal electronic records system.
- First Seen: 2023 (Attack timeframe).
## MITRE ATT&CK Mapping
This activity clearly maps to initial access and persistence within an external network system:
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (If leveraging a known vulnerability in the filing app)
- **TA0003 - Persistence**
- T1550 - Use Alternate Authentication Material (If stolen credentials were used to maintain access)
- **TA0009 - Collection**
- T1119 - Document from Information Repositories
## Functionality
### Core Capabilities
- Unauthorized time spent inside the targeted electronic filing system (25 days).
### Advanced Features
- The article suggests the system being targeted is "decades-old," implying potential exploitation of legacy application flaws or common web weaknesses.
## Indicators of Compromise
- File Hashes: Not applicable (Activity-based report).
- File Names: Not applicable.
- Registry Keys: Not applicable.
- Network Indicators: Access originated from Springfield, Tennessee (associated with the perpetrator, Nicholas Moore).
- Behavioral Indicators: Sustained, unauthorized electronic access to the SCOTUS filing portal over multiple days.
## Associated Threat Actors
- Nicholas Moore (Individual cybercriminal).
## Detection Methods
- Monitoring authenticated sessions against the electronic filing system for unusual IP addresses, geographic anomalies, or unusual query patterns during off-hours.
- Web Application Firewalls (WAF) monitoring for exploit payloads targeting the filing system application.
## Mitigation Strategies
- **Prevention Measures:** Implementing strong access controls, mandatory multi-factor authentication (MFA) for all filing system access, and rigorous patching/modernization of court IT systems.
- **Hardening Recommendations:** Principle of Least Privilege applied strictly to all third-party/public-facing filing applications.
## Related Tools/Techniques
- Unauthorized Access to Government Systems (Specific case study).
- **Related Incident Mentioned:** Attacks on the PACER system by supposed Russian actors (suggests similar TTPs involving exploitation of older federal systems).
---
# Tool/Technique: Black Axe Cyber-Enabled Fraud Operations
## Overview
The Black Axe is a Nigerian-based transnational organized crime syndicate known for engaging in various criminal activities, including cyber-enabled fraud, trafficking, and extortion. Recent action by Interpol resulted in 34 arrests in Spain, targeting members of the group's core operations.
## Technical Details
- Type: Organized Crime Syndicate/Threat Actor Group (Utilizing various TTPs)
- Platform: Global/Virtual (Cyber operations are platform agnostic)
- Capabilities: Cyber-enabled fraud, drug trafficking, human trafficking, armed robbery.
- First Seen: Active for years prior to the 2024 arrests.
## MITRE ATT&CK Mapping
As a multifaceted group, their TTPs are broad, centering on financial compromise and social engineering:
- **TA0001 - Initial Access**
- T1566 - Phishing (Likely used extensively for fraud schemes, e.g., Business Email Compromise)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0010 - Collection/Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Related to BEC/Fraud proceeds)
## Functionality
### Core Capabilities
- Execution of cyber-enabled financial fraud schemes.
- Cross-border operational capabilities (evidenced by arrests across Nigeria and Spain).
### Advanced Features
- Blending virtual crime (fraud) with physical criminal operations (trafficking, robbery).
## Indicators of Compromise
- File Hashes: Not specified (Group-level activity).
- File Names: Not specified.
- Registry Keys: Not applicable.
- Network Indicators: Operations span multiple jurisdictions; specific C2 infrastructure is not detailed in the context.
- Behavioral Indicators: Transactions indicative of large-scale fraud or money laundering stemming from cyber incidents.
## Associated Threat Actors
- Black Axe (Crime Syndicate).
## Detection Methods
Detection relies on identifying the specific fraud/scam mechanisms employed (e.g., BEC monitoring for associated communication patterns).
## Mitigation Strategies
- **Prevention Measures:** Due diligence in financial transactions (especially international wires), strong email security controls, and user education regarding social engineering common to romance or advance-fee scams often associated with these groups.
- **Hardening Recommendations:** Multi-layered security monitoring for anomalous financial flows.
## Related Tools/Techniques
- Other Nigerian Organized Crime groups utilizing similar cyber fraud vectors.