Microsoft’s recent warning regarding active exploits by Russian state-sponsored threat actors, particularly APT28 (Forest Blizzard, Strontium or Fancy Bear), has highlighted a significant vulnerability within Microsoft Outlook.
This vulnerability, labeled CVE-2023-23397, poses a severe risk to Microsoft Exchange accounts and can lead to the potential exposure of sensitive data. The vulnerability affects all iterations of Microsoft Outlook across Windows devices.
The origin of CVE-2023-23397 traces back to its initial disclosure and subsequent patch during Microsoft’s March 2023 Patch Tuesday updates. Categorized as a critical elevation of privilege (EoP) vulnerability within Outlook, APT28 has crafted specialized Outlook notes to pilfer NTLM hashes. By doing so, threat actors force targeted devices to authenticate with SMB shares under attacker control, circumventing the need for user interaction.
Reports suggest that APT28 has been trying to exploit this vulnerability as early as April 2022. Their focus is predominantly on government agencies, energy sectors, transportation entities and other critical organizations across the United States, Europe and the Middle East. Notably, Microsoft highlighted the exploitation of additional vulnerabilities like CVE-2023-38831 in WinRAR and CVE-2021-40444 in Windows MSHTML, in conjunction with CVE-2023-23397.
Before Microsoft’s alert on CVE-2023-23397, open sources reported that nearly 20,000 Microsoft Exchange email servers remained vulnerable to remote code execution flaws. These servers were running outdated software versions, reaching their end-of-life (EoL) and thus not receiving essential security updates. This concerning scenario puts such vulnerable servers at high risk, emphasizing the urgency for organizations using EoL software to swiftly transition to supported versions.
At Nuspire, we adhere to vendor recommendations by diligently applying patches and actively engaging in threat hunting to identify potential compromises within our clients’ environments.
To protect your environment against potential security threats, take the following immediate actions:
By promptly addressing these security measures, organizations can significantly reduce the risk of exploitation and fortify their cyber defenses against these threats.