Russian Threat Actors Exploit Outlook Flaw to Hijack Exchange Accounts

Microsoft’s recent warning regarding active exploits by Russian state-sponsored threat actors, particularly APT28 (Forest Blizzard, Strontium or Fancy Bear), has highlighted a significant vulnerability within Microsoft Outlook.  

Tell me more about the Microsoft Outlook vulnerability 

This vulnerability, labeled CVE-2023-23397, poses a severe risk to Microsoft Exchange accounts and can lead to the potential exposure of sensitive data. The vulnerability affects all iterations of Microsoft Outlook across Windows devices.  

The origin of CVE-2023-23397 traces back to its initial disclosure and subsequent patch during Microsoft’s March 2023 Patch Tuesday updates. Categorized as a critical elevation of privilege (EoP) vulnerability within Outlook, APT28 has crafted specialized Outlook notes to pilfer NTLM hashes. By doing so, threat actors force targeted devices to authenticate with SMB shares under attacker control, circumventing the need for user interaction. 

Reports suggest that APT28 has been trying to exploit this vulnerability as early as April 2022. Their focus is predominantly on government agencies, energy sectors, transportation entities and other critical organizations across the United States, Europe and the Middle East. Notably, Microsoft highlighted the exploitation of additional vulnerabilities like CVE-2023-38831 in WinRAR and CVE-2021-40444 in Windows MSHTML, in conjunction with CVE-2023-23397. 

Before Microsoft’s alert on CVE-2023-23397, open sources reported that nearly 20,000 Microsoft Exchange email servers remained vulnerable to remote code execution flaws. These servers were running outdated software versions, reaching their end-of-life (EoL) and thus not receiving essential security updates. This concerning scenario puts such vulnerable servers at high risk, emphasizing the urgency for organizations using EoL software to swiftly transition to supported versions. 

What is Nuspire doing?  

At Nuspire, we adhere to vendor recommendations by diligently applying patches and actively engaging in threat hunting to identify potential compromises within our clients’ environments. 

How should I protect myself from the Outlook vulnerability? 

To protect your environment against potential security threats, take the following immediate actions: 

• Apply Security Updates: It is imperative to implement available security updates for CVE-2023-23397 and its bypass, CVE-2023-29324. 
• Regular Software Updates: Ensure that all software products receive regular updates with the latest security patches. 
• Password Reset and MFA: Reset compromised users’ passwords and enable Multi-Factor Authentication (MFA) for all users. 
• Upgrade End-of-Life Software: Prioritize upgrading any software that has reached its end-of-life to a supported version. Unsupported software will no longer receive critical security patches. 

By promptly addressing these security measures, organizations can significantly reduce the risk of exploitation and fortify their cyber defenses against these threats.