Russian Hackers Exploit Stealthy Outlook Vulnerability, Microsoft Issues Warning
Guidance has been provided by Microsoft to assist customers in identifying the Indicators of Compromise (IoCs) connected with an Outlook vulnerability that has recently been patched.
The March 2023 Exchange Server Security Updates have identified a critical vulnerability, known as CVE-2023-23397 (CVSS score: 9.8), which enables privilege escalation. Attackers can exploit this flaw to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction.
According to a recent advisory released by the company, it is possible for external attackers to send specific emails that can lead to a connection from the victim to a location controlled by the attackers.
The victim’s Net-NTLMv2 hash can be exposed to an untrusted network, allowing an attacker to transfer it to another service and masquerade as the victim.
As part of its Patch Tuesday updates for March 2023, Microsoft successfully resolved a vulnerability that had been exploited by threat actors based in Russia. The flaw was weaponized in attacks that targeted various sectors across Europe, including the government, transportation, energy, and military industries.
In April of 2022, Microsoft’s incident response team detected indications of possible exploitation of the vulnerability.
According to the tech giant, an attack chain involved a Net-NTLMv2 Relay attack that granted unauthorized access to an Exchange Server, allowing the threat actor to modify mailbox folder permissions for persistent access. Check out the hyperlink for more details.
By utilizing the compromised email account, the adversary was able to expand their reach within the compromised environment via the transmission of further malicious messages. These messages were intended to target other individuals within the same organization.
Microsoft has stated that although the use of NTLMv2 hashes to obtain unauthorized access to resources is not a new tactic, the exploitation of CVE-2023-23397 is unique and covert. For more information on investigating attacks utilizing CVE-2023-23397.
To detect any potential exploitation through CVE-2023-23397, it is important for organizations to conduct a thorough review of SMBClient event logging, Process Creation events, and other network telemetry that is readily available. This will help to ensure that any vulnerabilities are identified and addressed in a timely manner.
The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a new open source incident response tool that helps detect signs of malicious activity in Microsoft cloud environments.
The United States Cybersecurity and Infrastructure Security Agency has introduced a new Python-based tool called “Untitled Goose Tool”. This tool provides unique authentication and data gathering methods that can be used to analyze Microsoft Azure, Azure Active Directory, and Microsoft 365 environments.
At the start of this year, Microsoft made a similar appeal to its customers, encouraging them to ensure their on-premises Exchange servers are up-to-date and to implement measures to strengthen their networks against potential threats.
