Russian hackers exploit Outlook zero-day vulnerability to target European organizations

Microsoft patches Outlook zero-day vulnerability used in attacks by Russian hackers

Microsoft has released a security patch to address a critical vulnerability (CVE-2023-23397) in Outlook that was exploited by a Russian hacking group to target government, military, energy, and transportation organizations in Europe. The group, which has been tracked as APT28, Sednit, and Fancy Bear, used malicious Outlook notes and tasks to steal NTLM hashes, which were then used to access victims’ networks and exfiltrate specific accounts.

The vulnerability can be exploited through low-complexity attacks by sending messages containing UNC paths to attacker-controlled SMB shares. Microsoft recommends immediate patching or temporary mitigation by adding users to the Protected Users group in Active Directory and blocking outbound SMB.

A well-known example of this type of malware is Snake Keylogger. But where did Snake Keylogger come from, how does it work, and how can you avoid it?

Outlook versions affected

According to Microsoft, the vulnerability affects all supported versions of Outlook for Windows but not Outlook for Android, iOS, or macOS versions. Online services like Outlook on the web and Microsoft 365 do not support NTLM authentication, making them immune to attacks exploiting this NTLM relay vulnerability. To help admins check if any users in their Exchange environment have been targeted using this Outlook vulnerability, Microsoft released a dedicated PowerShell script that checks Exchange messaging items for malicious UNC paths and allows modifying or deleting potentially malicious messages if they are found on the audited Exchange Server when run in Cleanup mode.

This critical elevation of privilege security flaw was first reported by the Computer Emergency Response Team for Ukraine (CERT-UA). Microsoft shared this information in a private threat analytics report available to customers with Microsoft 365 Defender, Microsoft Defender for Business, or Microsoft Defender for Endpoint Plan 2 subscriptions.

Mitigation

In addition to patching, Microsoft advises adding users to the Protected Users group in Active Directory and blocking outbound SMB to limit the impact of the attacks.

Microsoft urges its customers to take immediate action and patch their systems against CVE-2023-23397 or add users to the Protected Users group in Active Directory and block outbound SMB as a temporary mitigation to minimize the impact of the attacks.