Microsoft identifies Russian attacker exploiting CVE-2023-23397 in Outlook to access Exchange accounts

Exchange Logo[German]CVE-2023-23397 is a vulnerability in Microsoft Outlook that could be exploited in conjunction with Microsoft Exchange servers, which was closed with security updates in March 2023. Microsoft has now identified an attacker based in Russia who is actively exploiting CVE-2023-23397 to gain unauthorized access to email accounts in Exchange servers. This can then be used for NTLM relay attacks against other services. The Russian attacker is referred to by Microsoft as Forest Blizzard (STRONTIUM, APT28, FANCYBEAR).


Advertising

Outlook vulnerability CVE-2023-23397

CVE-2023-23397 is an "Elevation of Privilege" vulnerability in Microsoft Outlook, which has been classified as critical by Microsoft and described here. The attack can be carried out from specially crafted emails. The vulnerability classified as critical (CVEv3 score of 9.8) allows (only in connection with Microsoft Exchange) privilege escalation by third parties. Attackers can send a malicious email to a vulnerable version of Outlook. As soon as Outlook receives this mail (via Exchange), a connection can be established to a device controlled by the attacker (without any action on the part of the user).

Attackers can then use the vulnerability to access the Net-NTLMv2 hash of users. This hash value can be used as the basis for an NTLM relay attack against another service in order to authenticate themselves as these users. I first reported on this topic on the blog in the posts Patchday: Microsoft Office Updates (March 14, 2023), Exchange Server Security Updates (March 14, 2023) and Patch critical EvP vulnerability CVE-2023-23397 in Outlook. However, it then turned out that the patch was only incomplete (see Outlook vulnerability CVE-2023-23397 not fully patched).

Russian attackers exploit CVE-2023-23397

At the end of March 2023, I published the blog post Microsoft Guidelines for investigating attacks using CVE-2023-23397 with further information from Microsoft on how to secure Outlook. I had already mentioned in this blog post that this vulnerability has been actively exploited by Russian attackers since mid-April 2022 (see also this post by deep instinct, which shows cases). According to this Palo Alto Networks article, other attackers have also exploited this vulnerability.

Attacks on CVE-2023-23397

Microsoft has now disclosed on December 4, 2023 in the article Guidance for investigating attacks using CVE-2023-23397 (see also the tweet above) that it has identified state-sponsored cyber attackers who exploit this vulnerability. The nation-state attackers are referred to by Microsoft as Forest Blizzard. This group, which is based in Russia, is also known as STRONTIUM, APT28 or FANCYBEAR.


Advertising

Microsoft has cooperated with the Polish Cyber Command (DKWOC) to take action against the Forest Blizzard actors and identify the techniques used by the actors and develop defenses. Users should ensure that Microsoft Outlook is patched and kept up to date to mitigate this threat. However, Microsoft Outlook 2013, which was still in support in March 2023, has now reached End of Life, so this client should no longer be used.

Microsoft Defender XDR detects the exploitation and known activities after the systems have been compromised via the vulnerability CVE-2023-23397. Microsoft has added further details and new findings to the older article Guidance for investigating attacks using CVE-2023-23397.

Similar articles:
Patch critical EvP vulnerability CVE-2023-23397 in Outlook
Patchday: Microsoft Office Updates (March 14, 2023)
Exchange Server Security Updates (March 14, 2023)
Outlook vulnerability CVE-2023-23397 not fully patched
Microsoft Guidelines for investigating attacks using CVE-2023-23397


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Software and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *