Microsoft has patched an Outlook zero-day vulnerability (CVE-2023-23397) exploited by a hacking group linked to Russia’s navy intelligence service GRU to focus on European organizations.
The safety vulnerability was exploited in assaults to focus on and breach the networks of fewer than 15 authorities, navy, vitality, and transportation organizations between mid-April and December 2022.
The hacking group (tracked as APT28, STRONTIUM, Sednit, Sofacy, and Fancy Bear) despatched malicious Outlook notes and duties to steal NTLM hashes by way of NTLM negotiation requests by forcing the targets’ gadgets to authenticate to attacker-controlled SMB shares.
The stolen credentials had been used for lateral motion throughout the victims’ networks and to alter Outlook mailbox folder permissions, a tactic permitting for e mail exfiltration for particular accounts.
Microsoft shared this data in a non-public menace analytics report seen by BleepingComputer and accessible to prospects with Microsoft 365 Defender, Microsoft Defender for Enterprise, or Microsoft Defender for Endpoint Plan 2 subscriptions.
Essential EoP in Outlook for Home windows
The vulnerability (CVE-2023-23397) was reported by CERT-UA (the Laptop Emergency Response Staff for Ukraine), and it is a essential Outlook elevation of privilege safety flaw exploitable with out person interplay in low-complexity assaults.
Risk actors can exploit it by sending messages with prolonged MAPI properties containing UNC paths to an SMB share (TCP 445) beneath their management.
“The attacker might exploit this vulnerability by sending a specifically crafted e mail which triggers robotically when it’s retrieved and processed by the Outlook consumer. This might result in exploitation BEFORE the e-mail is considered within the Preview Pane,” Microsoft says in a safety advisory printed right now.
“The connection to the distant SMB server sends the person’s NTLM negotiation message, which the attacker can then relay for authentication in opposition to different programs that help NTLM authentication,” Redmond explains added in a separate weblog put up.
CVE-2023-23397 impacts all supported variations of Microsoft Outlook for Home windows however does not have an effect on Outlook for Android, iOS, or macOS variations.
Moreover, since on-line providers like Outlook on the net and Microsoft 365 don’t help NTLM authentication, they don’t seem to be weak to assaults exploiting this NTLM relay vulnerability.
Microsoft recommends instantly patching CVE-2023-23397 to mitigate this vulnerability to thwart any incoming assaults.
The corporate additionally advises including customers to the Protected Customers group in Lively Listing and blocking outbound SMB (TCP port 445) if patching will not be instantly potential, which could restrict the impression of CVE-2023-23397.
Mitigation and focusing on detection script accessible
Microsoft urges prospects to instantly patch their programs in opposition to CVE-2023-23397 or add customers to the Protected Customers group in Lively Listing and block outbound SMB (TCP port 445) as a short lived mitigation to attenuate the impression of the assaults.
Redmond additionally launched a devoted PowerShell script to assist admins verify if any customers of their Change setting have been focused utilizing this Outlook vulnerability.
It “checks Change messaging gadgets (mail, calendar and duties) to see whether or not a property is populated with a UNC path,” Microsoft says.
“If required, admins can use this script to wash up the property for gadgets which can be malicious and even delete the gadgets completely.”
This script additionally permits modifying or deleting probably malicious messages if they’re discovered on the audited Change Server when run in Cleanup mode.