Published March 27, 2023
Author: Ash Khan

Microsoft released a guide for customers with detection indicators of infiltration by exploiting a recently fixed Outlook zero-day vulnerability.

This privilege escalation security gap is in the Outlook client for Windows. It is tracked as CVE-2023-23397, and it allows attackers to obtain NTLM hashes without user intervention in NTLM-relay zero-click attacks.

Cybercriminals can use it to transmit messages with extended MAPI attributes containing UNC paths to attacker-controlled SMB shares.

In a recent study, Microsoft disclosed many approaches for determining whether credentials were compromised as a result of CVE-2023-23397 vulnerabilities. As well as mitigating steps to protect against future attacks.

The business has also published a script to assist administrators in determining whether any Exchange users have been targeted. Moreover, Redmond stated that defenders must seek other indicators of exploitation. Furthermore, if the threat actors have cleaned up their tracks by deleting any damning messages.

Telemetry was retrieved from several sources such as firewall, proxy, VPN, and RDP Gateway logs. As well as Azure Active Directory sign-in logs for Exchange Online users and IIS Logs for Exchange Server are alternative sources of signs of compromise tied to this Outlook issue.

In addition to the forensic endpoint data, security teams can also look for infection indicators in endpoint telemetry EDR systems.

Post-exploitation signs in compromised settings are associated with the targeting of Exchange EWS/OWA users. Moreover, malicious mailbox folder permission modifications allow attackers to get persistent access to the victim’s emails.

CVE-2023-23397 mitigating strategies

Microsoft Office 365 parent company also provided instructions on how to prevent future attacks on this vulnerability. It is asking organizations to install the newly released Microsoft 365 tool Outlook security upgrade.

According to Microsoft, to address this vulnerability, you must install the Outlook security update, regardless of where your email is hosted.

Other precautions that at-risk organizations should take to reduce such assaults and post-exploitation behavior include:

  • Apply the most recent security updates to on-premises Microsoft Exchange Server to verify that defense-in-depth mitigations are operational.
  • If you find suspicious or malicious reminder values, use the script to delete the messages or only the properties. Moreover, consider commencing incident response operations.
  • Reset the passwords of all accounts signed into machines where the user got suspicious reminders. In addition, commence incident response operations for any targeted or compromised user.
  • To limit the effect of future Net-NTLMv2 Relay attacks, use multifactor authentication. Please keep in mind that this will not prevent a threat actor from releasing credentials and cracking them offline.
  • Disable any unneeded Exchange services.
  • Specify a list of IP addresses that are allowed to connect to ports 135 and 445 to limit SMB traffic.
  • Turn off NTLM in your environment.

Russian military hackers

CVE-2023-23397 has been being exploited since at least April 2022. Furthermore, it was used to access the networks of at least 15 European government, military, energy, and transportation organizations.

Microsoft 365 Office company publicly blamed the attacks on “a Russia-based threat actor”. However, Redmond also stated in a secret threat analytics report that the hacking outfit is APT28.

This threat actor has previously been linked to Russia’s military intelligence organization.

The stolen credentials were used for lateral movement and to modify Outlook mailbox folder permissions, allowing emails to be stolen.

According to Microsoft, using NTLMv2 hashes to obtain unauthorized access to resources is not a new tactic. However, the exploitation of CVE-2023-23397 is unique and surreptitious.

Users reported suspicious task reminders, but initial security reviews of the messages, tasks, or calendar items involved failed to detect malicious activity.

Furthermore, the lack of any needed user involvement contributes to the vulnerability’s one-of-a-kind character.