Russian Hackers Exploit Stealthy Outlook Vulnerability, Microsoft Warns  

Microsoft recently issued guidance to assist customers in identifying indicators of compromise (IoCs) associated with a recently resolved Outlook vulnerability. The vulnerability, known as CVE-2023-23397 and scored a 9.8 on the Common Vulnerability Scoring System (CVSS), involves a critical flaw related to privilege escalation.   

This flaw could allow for the theft of NT Lan Manager (NTLM) hashes and a relay attack to be staged without user interaction. This attack could allow an attacker to access sensitive data and systems and potentially compromise an organization’s network. Users and organizations need to apply the security updates and patches provided by Microsoft to mitigate the risk of exploitation by malicious actors.  

The warning from the company highlights a significant security threat posed by external attackers. They can exploit a vulnerability in the system by sending specially crafted emails that create a connection between the victim’s device and an untrusted location controlled by the attackers.   

As a result, the attackers gain access to the Net-NTLMv2 hash of the victim, which is then leaked to their network. This hash contains sensitive authentication information that can be transferred to other services to authenticate as the victim. The consequences of such an attack can be dire, ranging from identity theft to sensitive data. Ensuring that all software and applications are up to date with the latest security patches and educating employees on safe browsing and email practices are crucial to prevent this vulnerability.   

Additionally, ESOF VMDR implements multi-factor authentication to reduce the chances of an attacker gaining unauthorized access to sensitive information. By taking these measures, businesses can protect themselves against external attackers and ensure their valuable data remains secure.  

In March 2023, Microsoft addressed the vulnerability as a component of its Patch Tuesday updates. However, before its resolution, malicious actors from Russia had exploited the flaw to launch attacks on Europe’s government, transportation, energy, and military sectors.  

Microsoft’s incident response team detected indications of potential vulnerability exploitation as early as April 2022. The tech giant explained that a Net-NTLMv2 Relay attack was executed successfully in a particular attack sequence, allowing the threat actor to gain unauthorized entry to an Exchange Server and alter mailbox folder permissions for sustained access.  

After the compromised email account, it was utilized to expand the attacker’s reach within the affected system by sending further malicious messages to other organization members. Microsoft noted that while using NTLMv2 hashes to gain unauthorized access to resources is not new, the exploitation of CVE-2023-23397 is innovative and inconspicuous.  

To detect any possible exploitation via CVE-2023-23397, organizations are advised to examine SMB Client event logging, Process Creation events, and other network telemetry data that is accessible. The disclosure coincides with releasing a new open-source incident response tool by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which assists in identifying indications of evil activity in Microsoft cloud environments.  

The agency stated that a Python-powered “Untitled Goose Tool” tool provides innovative authentication and data-gathering techniques for analyzing Microsoft Azure, Azure Active Directory, and Microsoft 365 environments.  

Microsoft advised customers to maintain up to date on-premises Exchange servers earlier this year and implement network enhancements to minimize potential risks.  

Get ESOF to safeguard your system against malicious attacks  

The ESOF Vulnerability Management platform is a next-generation tool that utilizes ESOF VMDR to safeguard against malicious cyberattacks. Using an automatic approach, it prioritizes and continuously monitors all vulnerabilities right after the user installs them on their system.  

Protecting systems from potential data breaches is critical, especially considering recent incidents such as the one that affected the U.S. Marshals Service. It is believed that the attackers may have exploited weaknesses in their IT stack, highlighting the importance of utilizing tools like ESOF VMDR.  

ESOF VMDR protects your system in the following ways:  

• By leveraging its threat intelligence capability, it can pinpoint the assets that have vulnerabilities.  
• Using a cyber risk score enhances communication within the organization, reducing cyber risk and providing business owners with an understanding of their company’s security posture.  
• Take swift action on critical vulnerabilities through automated prioritization and remediation.  
• Ensure comprehensive protection of your company’s IT infrastructure, including all real-time files.  

• With scheduled scanning, you can identify zero-day vulnerabilities across multiple platforms, such as web, mobile, SCR, and infrastructure.  
• ESOF VMDR aids in discovering hidden vulnerabilities within the system and segregating them based on their high-risk status.