Posted on March 12, 2023 at 12:10 PM

Microsoft issues patch to Outlook zero-day bug used by hackers since 2022

Microsoft has released a patch for Outlook zero-day vulnerability named tracked as CVE-2023-23397. This vulnerability had been exploited by a threat actor group based in Russia. The Russian hacker group that exploited the bug is associated with the Russian military intelligence service known as the GRU, and it was being used to target organizations in Europe.

Microsoft releases patch for Outlook zero-day vulnerability

The zero-day vulnerability was exploited in hacking attacks that target and breach the networks of not more than 15 energy, government, military and transportation organizations. The exploits happened between mid-April and December 2022.

The hacking group linked to these attacks is tracked as APT28, Fancy Bear, Sednit, Sofacy, and STRONTIUM. The hacker sent out malicious Outlook notes to the victim alongside tasks aimed at stealing NTLM hashes through NTLM negotiation requests. The threat actors did this by forcing the targeted devices to authenticate SMB shares that the hacker-controlled.

The hackers used the stolen credentials to make lateral movements within the victims’ networks. They also changed the mail folder permissions for Outlook. Using this strategy, the hackers could perform email exfiltration for some accounts.

Microsoft shared the details about this vulnerability and the subsequent exploit in a threat analytics report. The private report was available to those who had subscribed to Microsoft 365 Defender, Microsoft Defender for Business, or Microsoft Defender for Endpoint Plan 2.

The vulnerability was tracked as CVE-2023-23397, and the Computer Emergency Response Team reported it for Ukraine (CERT-UA). The vulnerability is a critical Outlook elevation of a privilege security flaw that can be exploited without the need for user interaction. Moreover, this flaw can be used to conduct low-complexity attacks.

The threat actors behind this exploit can send messages using extended MAPI properties that carry UNC paths to an SMB share known as TCP 445 which is controlled by the hacker. According to Microsoft, the threat actor might have been able to exploit this flaw by sending messages that will be triggered automatically.

“The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane,” Microsoft said in a security advisory that was released recently.

Researchers also noted that once the hackers linked to the remote SMB server, it sent the NTML negotiation message belonging to the user. Additionally, the hacker can also use this message to relay authentication against other systems that support LM authentication.

The vulnerability in question is crucial because it affects all the supported versions of Microsoft Outlook for Windows devices. However, this flaw does not affect the Outlook applications for Android, iOS and macOS devices.

Additionally, some online services such as Outlook, supported in the Web and Microsoft 365 currently do not provide support for NTLM authentication. Therefore, these applications were not vulnerable to the attacks conducted by threat actors who exploited the NTLM relay vulnerability.

Mitigating against attacks caused by this vulnerability

Microsoft has also recommended that the affected users patch the CVE-2023-23397 vulnerability to mitigate against further attacks. the company has also urged users to switch to using the Protected Users group available in the Active Directory.

The other recommendation by Microsoft includes users blocking the outbound SMB (TCP port 445) if they are not immediately able to patch the flaw. Taking this action might reduce the impact of CVE-23397 being exploited.

The researchers have also shared a dedicated PowerShell script. The script is being used by admins to check whether users within the Exchange environment have been targeted using this vulnerability on Outlook applications on windows devices.

According to Microsoft, the dedicated PowerShell script can also be used to check the Exchange messaging items such as calendar, mail and tasks. These checks can help determine whether a property is populated with a UNC path, and they can help the targeted victims avoid falling victim to attacks.

The tech company further noted that in the instances where it was required, admins could use the script to clean up the property for malicious items. It can also delete these items permanently. This script also supports modifications. It can also be used to delete messages that are potentially malicious if they are detected within the audited Exchange Server when it is run on the Cleanup mode.