February 21, 2024
Outlook Vulnerability Exploited by Hackers - Microsoft Warns

Microsoft recently released a patch for Outlook vulnerability CVE-2023-23397, which has been actively exploited for almost an entire year. The high severity score of CVSS 9.8 of the Microsoft Outlook CVE-2023-23397 vulnerability has caused considerable concern.

It impacts Outlook 2013 SP1 and all of the Microsoft 365 enterprise apps. A hacking group associated with Russia’s GRU military intelligence agency has become aware of this exploit and is using it to target various European organizations in the energy, transportation, government, and military sectors.

Businesses must act fast to patch Outlook software and put safeguards in place to find out if they have been compromised. Just blocking port 445 on the internet is insufficient, since companies might already be compromised.

Stealing the Net-NTLM hash

With the help of CVE-2023-23397, an attacker can take over the victim’s identity and gain further access to the organization by stealing the Net-NTLM hash from them.

The attacker steals the Net-NTLM hash by tricking the victim into accessing a UNC path \\Attacker_IP_Address. Since this mechanism is a feature that facilitates communication between Windows machines, the “leaking” of the Net-NTLM hash is neither new nor regarded as a vulnerability in and of itself.

The more secure Machines within the same domain usually use Kerberos authentication. Nevertheless, in situations where a user wishes to communicate with a machine that is part of a different domain or that is only identifiable by its IP address, Kerberos authentication will not function. As a result, the user will automatically have their Net-NTLM hashes sent to the destination and their authentication type downgraded from Kerberos to NTLM.

For example, when a user tries to access any of the following UNC paths, an attacker will receive the Net-NTLM hash.

Attacker IP address \\

Hacker hostname.In_another_domain

How does one exploit CVE-2023-23397?

The impact of a successful Net-NTLM-based attack is equal to that of CVE-2023-23397. Every attack path involves the attacker sending the victim a malicious email, which prompts the victim’s computer to send the attacker their Net-NTLM hash. Following the victim’s theft of the Net-NTLM hash, the attacker may carry out one of the two attacks outlined in the slides:

1. By sending the privileged user’s Net-NTLM to the domain server, the attacker in attack path could obtain high-privilege access to the Windows domain server of interest. This could be accomplished by focusing on a privileged user and sending their Net-NTLM hash to a network employee’s pre-compromised machine. The NTLM-Relay attack is another name for this.

2. Using offline password cracking, the attacker in attack path 2 could try to extract the password from the compromised Net-NTLM hash. This would enable the attacker to enter the company’s network via a VPN and move laterally from asset to asset. Because an identity provider (i.e., Domain Controller) could synchronize and centrally manage the password for every service that the victim has access to, this could work. This attack path will be less likely with multi-factor authentication (MFA).

3. The same password recovery method from attack path 2 would be applied in attack path 3, enabling the attacker to access the victim’s cloud account. The attack could then carry out cloud-based attacks and keep looking for important information or secrets kept there. Additionally, MFA will lessen the likelihood of this attack path.

Microsoft Alerts Users to Kremlin-Backed APT28 Taking Advantage of a Serious Outlook Vulnerability

Microsoft said on Monday that it had discovered nation-state activity backed by the Kremlin that was taking advantage of a serious security vulnerability in its Outlook email service that has since been fixed to allow unauthorized access to victims’ Exchange server accounts.

The tech giant identified Forest Blizzard (formerly Strontium) as the threat actor responsible for the intrusions. This actor is also known by the tracking IDs APT28, BlueDelta, Fancy Bear, FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422.

CVE-2023-23397 (CVSS score: 9.8) is the security vulnerability under consideration. It is a critical privilege escalation bug that could provide an adversary access to a user’s Net-NTLMv2 hash, which could subsequently be used to launch a relay attack against another service in order to authenticate as the user. Microsoft released a patch for it in March 2023.

Pursuing unapproved access to mailboxes owned by both public and private organizations in the nation is the aim, as stated by the Polish Cyber Command (DKWOC).

“In the next stage of malicious activity, the adversary modifies folder permissions within the victim’s mailbox,” DKWOC stated. “In most cases, the modifications are to change the default permissions of the ‘Default’ group (all authenticated users in the Exchange organization) from ‘None’ to ‘Owner.'”

By doing this, the threat actor can obtain important data from high-value targets by allowing any authenticated individual within the organisation to read the contents of mailbox folders that have been granted this permission.

“It should be emphasized that the introduction of such modifications allows for the maintenance of unauthorized access to the contents of the mailbox even after losing direct access to it,” DKWOC stated.

Prior to April 2022, Microsoft revealed that threat actors based in Russia had been using the security flaw as a zero-day attack vector to target the European government, transportation, energy, and military sectors.

Afterward, in June 2023, cybersecurity company Recorded Future disclosed specifics of a spear-phishing campaign run by APT28 that took advantage of several flaws in the open-source Roundcube webmail program. The campaign coincides with actions that use the Microsoft Outlook vulnerability, the company noted.

Using vulnerabilities such as CVE-2023-23397, the hacking group has been targeting government agencies, corporations, academic institutions, research centers, and think tanks since the second half of 2021, according to a report released by the National Cybersecurity Agency of France (ANSSI) in late October.

Unit 26165 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), the Ministry of Defense’s foreign intelligence branch, is thought to be connected to the state-sponsored organization.

The exploit of the WinRAR vulnerability (CVE-2023-38831) to obtain browser login credentials through the use of a PowerShell script called IRONJAW, as well as attacks on multiple organizations in France and Ukraine, have also been linked to it in recent months.

According to an independent analysis, the cybersecurity firm Proofpoint reported seeing large-scale phishing campaigns in late March and September 2023 that targeted users in North America and Europe with CVE-2023-38831 and CVE-2023-23397, respectively.

“It’s unclear if the quantity of emails – more than 10,000 total since August 2023 – has been a tactical decision or an operator error,” said Proofpoint senior threat researcher Greg Lesnewich told. “Their actions indicate that they seek to discover easily exploitable networks that have a strategic interest to the adversary.”

“Regardless, the payloads, tactics, and techniques used in these campaigns reflect TA422’s ultimate shift away from compiled malware for persistent access on targeted networks to lighter-weight, credential-oriented access.”

“Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities,” said Microsoft.

Microsoft Outlook’s widespread use in business settings presents a lucrative avenue for attack, positioning it as “one of the critical ‘gateways’ responsible for introducing various cyber threats into organizations,” according to Check Point, which outlined the ways in which malicious actors could exploit the service to distribute their exploits.

This development coincides with The Guardian’s report from 2015 claiming that hacking teams connected to China and Russia were able to infiltrate the UK’s Sellafield nuclear waste site and install “sleeper malware.” On the other hand, the British government reported that it could find no proof that its networks had been “successfully attacked by state actors.”

Leave a Reply

Your email address will not be published. Required fields are marked *