Microsoft has patched a zero-day Outlook vulnerability (CVE-2023-23397) exploited by a hacking group linked to the Russian military intelligence service GRU to target European organizations.
The security vulnerability was exploited in attacks aimed at targeting and breaching the networks of less than 15 government, military, energy and transportation organizations between mid-April and December 2022.
The hacking group (tracked as APT28, STRONTIUMSednit, Sofacy, and Fancy Bear) sent malicious Outlook Notes and Tasks to steal NTLM hashes via NTLM handshake requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares.
The stolen credentials were used for lateral movement within victims’ networks and to change Outlook mailbox folder permissions, a tactic allowing email exfiltration for specific accounts.
Microsoft has shared this information in a private threat analysis report seen by BleepingComputer and available to customers with Microsoft 365 Defender, Microsoft Defender for Business, or Microsoft Defender for Endpoint Plan 2 subscriptions.
Critical EoP in Outlook for Windows
The vulnerability (CVE-2023-23397) has been reported by CERT-UA (the Computer Emergency Response Team for Ukraine), and it is a critical Outlook elevation of privilege security flaw that can be exploited without user interaction. user in low complexity attacks.
Attackers can exploit it by sending messages with extended MAPI properties containing UNC paths to an SMB share (TCP 445) under their control.
“The attacker could exploit this vulnerability by sending a specially crafted email that automatically triggers when retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is displayed in preview pane,” Microsoft said in a published security advisory. Today.
“Connecting to the remote SMB server sends the user’s NTLM handshake message, which the attacker can then relay to authenticate to other systems that support NTLM authentication”, Redmond explain added in a separate blog post.
CVE-2023-23397 affects all supported versions of Microsoft Outlook for Windows, but does not affect versions of Outlook for Android, iOS, or macOS.
Additionally, since online services like Outlook on the web and Microsoft 365 do not support NTLM authentication, they are not vulnerable to attacks exploiting this NTLM relay vulnerability.
Microsoft recommends immediately patching CVE-2023-23397 to mitigate this vulnerability to thwart any incoming attacks.
The company also advises adding users to the Protected Users group in Active Directory and blocking outgoing SMB (TCP port 445) if the fix is not immediately possible, which could limit the impact of CVE-2023-23397 .
Mitigation and targeting detection script available
Microsoft urges customers to immediately patch their systems against CVE-2023-23397 or add users to the Protected Users group in Active Directory and block outbound SMB (TCP port 445) as a temporary mitigation to minimize the impact of the attacks.
Redmond too released a dedicated powershell script to help administrators verify if any users in their Exchange environment have been targeted using this Outlook vulnerability.
It “checks Exchange mail items (mail, calendar, and tasks) to see if any property is populated with a UNC path”, Microsoft said.
“If needed, admins can use this script to clean the property of malicious items or even delete items permanently.”
This script also allows modifying or deleting potentially malicious messages if they are found on the audited Exchange server when run in cleaning mode.