Microsoft has patched a zero-day Outlook vulnerability (CVE-2023-23397) that was used by a hacking group affiliated with Russia’s GRU to target organizations in Europe.
Between mid-April and December 2022, the security flaw was used in attacks to target and breach the networks of fewer than 15 organizations in the fields of transportation, energy, the military, and government.
The hacking bunch (followed as APT28, STRONTIUM, Sednit, Sofacy, and Extravagant Bear) sent vindictive Standpoint notes and errands to take NTLM hashes by means of NTLM exchange demands by constraining the objectives’ gadgets to confirm to aggressor controlled SMB shares.
The stolen credentials were used to change Outlook mailbox folder permissions and lateral movement within the victims’ networks, enabling email exfiltration for specific accounts.
This information was made available to customers who subscribe to Microsoft 365 Defender, Microsoft Defender for Business, or Microsoft Defender for Endpoint Plan 2 in a private threat analytics report that BleepingComputer was able to access.
The Computer Emergency Response Team for Ukraine (CERT-UA) reported the critical Outlook elevation of privilege security flaw (CVE-2023-23397), which can be exploited in low-complexity attacks without the involvement of the user.
By sending messages with extended MAPI properties that contain UNC paths to an SMB share (TCP 445) under their control, threat actors can take advantage of this vulnerability.
“By sending a specially crafted email that triggers automatically when it is retrieved and processed by the Outlook client, the attacker could take advantage of this vulnerability. “In a security advisory that was released today, Microsoft states that this could result in exploitation BEFORE the email is viewed in the Preview Pane.”
Redmond elaborates in a separate blog post, “The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.”
All supported versions of Microsoft Outlook for Windows are affected by CVE-2023-23397; however, versions of Outlook for Android, iOS, or macOS are unaffected.
Additionally, because they do not support NTLM authentication, online services like Outlook on the web and Microsoft 365 are immune to attacks that take advantage of this NTLM relay vulnerability.
Microsoft suggests patching CVE-2023-23397 right away to mitigate this vulnerability and prevent future attacks.
If patching is not immediately possible, the company also suggests adding users to the Protected Users group in Active Directory and blocking outbound SMB (TCP port 445) to lessen the impact of CVE-2023-23397.
Microsoft recommends that customers immediately patch their systems against CVE-2023-23397, add users to the Protected Users group in Active Directory, and block outbound SMB (TCP port 445) as a temporary mitigation to lessen the impact of the attacks. Mitigation and targeting detection script are available.
Additionally, Redmond released a PowerShell script to assist administrators in determining whether any Exchange environment users have been exploited by means of this Outlook vulnerability.
According to Microsoft, it “checks Exchange messaging items (mail, calendar, and tasks) to see if a property is populated with a UNC path.”
“Admins can use this script to clean the property or even permanently delete malicious items if necessary.”
When run in Cleanup mode, this script also lets you change or delete potentially harmful messages that are on the audited Exchange Server.