by March 16 update below. This post was originally published on March 15th
Microsoft has confirmed that a critical Outlook vulnerability, rated 9.8 out of a maximum of 10, is known to have already been exploited in the wild. If you think that sounds bad, it gets worse: the exploit is triggered upon receipt of a malicious email and therefore executes before that email is read in the preview window. That’s right; This is an exploit that does not require user interaction. Here’s what we know about the new Microsoft Outlook zero-day.
What is CVE-2023-23397, the critical zero-day vulnerability in Microsoft Outlook?
CVE-2023-23397 is a Microsoft Outlook elevation of privilege vulnerability already exploited by a “Russia-based threat actor” in targeted attacks targeting government, transport, energy, and military sectors in Europe, according to the Microsoft Security Resource Center (MSRC). In fact, Ukraine’s Computer Emergency Response Team (CERT) is credited with reporting the zero-day to Microsoft.
Full technical details are still pretty thin on the ground. However, an MSRC post states that the critical Microsoft Outlook vulnerability “is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB share (TCP 445) on an attacker’s controlled server sends. No interaction is required.” The post goes on to explain that connecting to a remote SMB (Server Message Block) server sends the user a NTLM (New Technology LAN Manager) negotiation message, which is then forwarded to supporting systems for authentication “Online services like Microsoft 365 do not support NTLM authentication,” confirms the MSRC post, so are not vulnerable to this exploit.
All currently supported versions of Outlook for Windows are affected, but not Outlook for the web or versions running on Android, iOS, or Mac.
March 16 update:
Google-owned threat intelligence firm Mandiant believes that the zero-day vulnerability CVE-2023-23397 in Microsoft Outlook has been exploited for almost a year to target both businesses and critical infrastructure.
State-sponsored Russian “Fancy Bear” threat actors have exploited CVE-2023-23397
In an email statement, Mandiant says it created “UNC4697” to track early exploitation of CVE-2023-23397, which is publicly attributed to Russian Military Intelligence (GRU)-affiliated threat actor APT28, which is better known is as Fancy Bear. The vulnerability is said to have been exploited against government, defense, logistics, transport and energy targets based in Poland, Romania, Turkey and Ukraine since April 2022. These targets, according to Mandiant, could facilitate strategic intelligence gathering and destructive or destructive attacks aimed both at Ukraine and abroad.
“This is further evidence that aggressive, disruptive and destructive cyberattacks may not be confined to Ukraine and a reminder that we can’t see everything,” said John Hultquist, head of Mandiant Intelligence Analysis at Google Cloud. “These are spies, and they have a long track record of evading our attention. This will be a propagation event. This is an excellent tool for nation-state actors and criminals alike, who will be on a bonanza in the short term, and the race has already begun.”
Several proofs-of-concept now widely available
Additionally, Mandiant states that several proof-of-concepts are now widely available. Since this is an exploit without user interaction, the damage potential is high. In fact, Mandiant says it anticipates “broad, rapid adoption of the CVE-2023-23397 exploit by multiple nation-state and financially motivated actors, including both criminal and cyberespionage actors.”
Pass the hash attack
To exploit CVE-2023-23397, which the client says is “trivial” to execute, an attacker would need to send a malicious email with an “extended MAPI property containing a UNC path to the SMB share (TCP 445) to a send attacker. controlled server.” This triggers what is known as a “pass the hash” attack, but in this case it is triggered upon receiving the email from an unpatched Outlook client without the target even seeing it.
What do you have to do now?
The good news is that the CVE-2023-23397 alert coincides with the release of the latest Patchday round of security updates to Microsoft users. It is therefore recommended to import the appropriate patch. However, if your organization cannot apply these security updates immediately, Microsoft has released some workarounds. Adding users to the Protected Users security group prevents using NTLM for authentication, but Microsoft warns that this “could impact applications that require NTLM”. Alternatively, you can block outbound TCP 445/SMB using a firewall or VPN settings.
Microsoft mitigations for CVE-2023-23397
Microsoft/DaveyWinder
What is the security industry saying about Microsoft Outlook zero-day?
“Administrators should patch within a day if possible, as the vulnerability is relatively easy to exploit, requires no user interaction, and is already being exploited in the wild,” said Peter Plaster, technical product manager at Automox. “Microsoft has released two temporary workarounds if you can’t patch immediately, both of which affect NTLM and applications that use it. So proceed with caution.”
“Given the network attack vector, the ubiquity of SMB shares, and the lack of required user interaction, an attacker with a suitable existing foothold on a network may well view this vulnerability as a prime candidate for lateral movement,” said Adam Barnett, senior software engineer at Rapid7 .
“An attacker is currently exploiting this vulnerability to deliver malicious MSI (Microsoft Installer) files,” said Bharat Jogi, director of vulnerability and threat research at Qualys.
“The attack can be carried out without user interaction by sending a specially crafted email that is automatically triggered when retrieved from the email server,” said Mike Walters, VP of Vulnerability and Threat Research at Action1. “This can lead to exploits before the email even appears in the preview window. If successfully exploited, an attacker can access a user’s Net-NTLMv2 hash, which can be used to perform a pass-the-hash attack on another service and authenticate as a user. It is best to install the Microsoft update on all systems after testing it in a controlled environment.”
follow me Twitter or LinkedIn. Cash my website or some of my other work here.
