Earlier this month, Microsoft disclosed that a Russian hacking group Fancy Bear, aka APT28, exploited a zero-day in Microsoft’s flagship email management software, Outlook, between mid-April and December 2022. The company recently shared additional details, and guidance to help customers discover IoCs associated with the vulnerability to minimize the attack surface.
Who all are impacted?
The privilege elevation/authentication bypass vulnerability tracked as CVE-2023-23397 (CVSS score: 9.8), was first disclosed in mid-March.
- It affects all supported versions of Microsoft Outlook for Windows, including Microsoft 365, Microsoft Office 2019, Microsoft Outlook 2016, and Microsoft Outlook 2013.
- The vulnerability requires no user interaction to stage a relay attack, and exploitation can occur even before the email is seen in the Preview Pane.
Microsoft has patched the vulnerability as part of its Patch Tuesday updates for March 2023.
How hackers exploit the bug
An attacker creates a specially-crafted message with an extended Message Application Program Interface (MAPI) property and sends it to the victim.
- The MAPI property is set to a Universal Naming Convention (UNC) path to a remote SMB server controlled by the attacker, via TCP port 445.
- The attacker delivers a malicious calendar invite in the (.msg) message format that supports Outlook reminders.
- Upon which, opening Outlook triggers the exploitation. It connects the victim to the attacker’s SMB server to automatically send the NTLM negotiation message.
- The malware further leverages the Transport Neutral Encapsulation Format (TNEF). They steal Net-NTLMv2 hashes to compromise other systems and services that support NTLM authentication.
Possible attack scenarios
A Net-NTLMv2 hash leak can be abused in the post-exploitation activity. Threat actors could launch a Net-NTLMv2 Relay attack against Exchange Servers to gain initial access.
- They could use Exchange Web Services (EWS) API and navigate the organization’s lines over SMB.
- An attacker may leverage WebDAV services to respond to affected victim clients with malicious pages.
- Moreover, they can establish additional persistent access to the contents of the victim’s mailboxes even if a password was reset or otherwise remediated.
Conclusion
As the vulnerability has been made public, Microsoft warns that more hackers can join hands to exploit it most notably with elections on the horizon in many countries. Thus, organizations are recommended to apply the patch as soon as possible and use Microsoft-provide PowerShell script to scan emails, calendar entries, and task items, and to verify the compromise.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/0089_shutterstock_1092152978_1.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/6c69_shutterstock_2145659431.jpg)
