Pierluigi Paganini
March 26, 2023
Microsoft published guidance for investigating attacks exploiting recently patched Outlook vulnerability tracked as CVE-2023-23397.
The flaw is a Microsoft Outlook spoofing vulnerability that can lead to an authentication bypass.
A remote, unauthenticated attacker can exploit the flaw to access a user’s Net-NTLMv2 hash by sending a specially crafted e-mail to an affected system.
“An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.” reads the advisory published by Microsoft. “The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.” “External attackers could send specially crafted emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim.”
The vulnerability was reported by the CERT-UA and the Microsoft Incident Response, Microsoft Threat Intelligence (MSTI), suggesting that it has been exploited by a nation-state actor.
Microsoft addressed the flaw as part of its Patch Tuesday updates for March 2023.
The guidance published by Microsoft includes details about the attacks using the vulnerability. The following diagram shows attackers gaining initial access using a Net-NTLMv2 Relay attack, then maintaining persistence via modifying mailbox folder permissions, and performing lateral movement by sending additional malicious messages.
In the following attack scenario, threat actors used the compromised email account to extend their access within the compromised environment by targeting other members of the same organization.
“While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy. Even when users reported suspicious reminders on tasks, initial security review of the messages, tasks, or calendar items involved did not result in detection of the malicious activity.” concludes the guidance. “Furthermore, the lack of any required user interaction contributes to the unique nature of this vulnerability. “In this document, Microsoft Incident Response has highlighted threat hunting techniques and strategy for exploitation of this CVE, alongside some hunting techniques for observed post-exploitation threat actor behaviors. Furthermore, a broad threat hunting for anomalous user activity consistent with credential compromise is advised.”
The guidance also includes indicators of attack for this campaign.
Researchers from threat intelligence firm Mandiant also reported having observed an activity related to a months-long cyberespionage campaign exploiting Microsoft Exchange vulnerability CVE-2023-23397 conducted by a threat actor tracked as UNC4697 (likely linked to the APT28 group).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2023-23397)
