Russian hackers exploit Outlook zero-day vulnerability to target European organizations
Microsoft patches Outlook zero-day vulnerability used in attacks by Russian hackers
Microsoft has released a security patch to address a critical vulnerability (CVE-2023-23397) in Outlook that was exploited by a Russian hacking group to target government, military, energy, and transportation organizations in Europe. The group, which has been tracked as APT28, Sednit, and Fancy Bear, used malicious Outlook notes and tasks to steal NTLM hashes, which were then used to access victims’ networks and exfiltrate specific accounts.
The vulnerability can be exploited through low-complexity attacks by sending messages containing UNC paths to attacker-controlled SMB shares. Microsoft recommends immediate patching or temporary mitigation by adding users to the Protected Users group in Active Directory and blocking outbound SMB.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Outlook versions affected
According to Microsoft, the vulnerability affects all supported versions of Outlook for Windows but not Outlook for Android, iOS, or macOS versions. Online services like Outlook on the web and Microsoft 365 do not support NTLM authentication, making them immune to attacks exploiting this NTLM relay vulnerability.
To help admins check if any users in their Exchange environment have been targeted using this Outlook vulnerability, Microsoft released a dedicated PowerShell script that checks Exchange messaging items for malicious UNC paths and allows modifying or deleting potentially malicious messages if they are found on the audited Exchange Server when run in Cleanup mode.
This critical elevation of privilege security flaw was first reported by the Computer Emergency Response Team for Ukraine (CERT-UA). Microsoft shared this information in a private threat analytics report available to customers with Microsoft 365 Defender, Microsoft Defender for Business, or Microsoft Defender for Endpoint Plan 2 subscriptions.
Trending: Major Cyber Attacks of 2022
Trending: Offensive Security Tool: CrackQL
Mitigation
In addition to patching, Microsoft advises adding users to the Protected Users group in Active Directory and blocking outbound SMB to limit the impact of the attacks.
Microsoft urges its customers to take immediate action and patch their systems against CVE-2023-23397 or add users to the Protected Users group in Active Directory and block outbound SMB as a temporary mitigation to minimize the impact of the attacks.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
New Ghost Tap Attack: The Next-Level Credit Card Scam Exploiting Apple Pay and Google Pay
Apple Rushes to Patch Two Zero-Day Exploits Targeting Intel-Based Macs
Chinese Hackers Exploit Zero-Day in FortiClient VPN with ‘DeepData’ Toolkit
Critical Flaw in Popular WordPress Plugin Puts Millions of Websites at Risk
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
