Home / Threat Intelligence bulletins / Microsoft remediates Outlook zero-day exploited by Russian threat actors

Update – Proof-of-Concept exploit released for critical Microsoft vulnerability (15th March 2023 – 13:00 UTC)

Overview

A Proof-of-Concept (PoC) has been disclosed regarding the recently discovered Microsoft vulnerability, being tracked as CVE-2023-23397. The security flaw is a critical Elevation of Privilege (EoP) vulnerability in the Microsoft Outlook platform that allows threat actors to engage in the theft of password hashes by manipulating the New Technology LAN Manager (NTLM) authentication mechanism.

Microsoft released a PowerShell script that functions to allow administrators to determine whether or not any users within their Exchange environment have been targeted. This script also allows potentially malicious messages to be modified or deleted if they are found on the audited Exchange Server when run in clean-up mode.

Research relating to the PoC concluded the following:

– The script could search for the “PidLidReminderFileParameter” property inside the received mail items and remove it when present. This allows the sender to define the filename that the Outlook client should play when the message reminder is triggered
– The above findings allowed for the creation of a malicious Outlook email (.MSG) with a calendar appointment that would trigger the vulnerability and subsequently send the target’s NTLM hashes to an arbitrary server
– CVE-2023-23397 can be exploited to trigger authentication to an IP address that is outside of the Trusted Intranet Zone or Trusted Sites.

Updated Affected Products

All supported versions of Microsoft Outlook for Windows are affected by CVE-2023-23397. However, it does not affect Outlook for Android, iOS, or macOS versions. Additionally, since online services such as Outlook on the web and Microsoft 365 do not support NTLM authentication, they are not vulnerable to attacks exploiting the vulnerability.

Updated Containment, Mitigations & Remediations

It is strongly recommended that the relevant security patch is applied to the respective Microsoft products associated with CVE-2023-23397. The patch can be found directly at the Microsoft Patch Tuesday March 2023 Release Note. If it is not possible to patch the vulnerability immediately, it is advised that users block outbound TCP 445/SMB with a firewall or through the implementation of the relevant VPN settings.

Updated Further Information

Bleeping Computer Article

Target Industry

Government, military, and critical infrastructure entities in Europe.

Overview

Severity level: CVE-2023-23397 (CVSSv3 base score of 9.8 – Critical Severity): Critical Elevation of Privilege vulnerability affecting Outlook for Windows compromise may result in the loss of confidentiality and integrity of data.

Microsoft has patched an Outlook zero-day vulnerability, tracked as CVE-2023-23397. The security flaw has been exploited by the threat actor group tracked as APT28, which is linked to Russia’s foreign military intelligence agency, GRU, to target European organisations. CVE-2023-23397 was reported by CERT-UA (the Computer Emergency Response Team for Ukraine), and it pertains to a critical Elevation of Privilege (EoP) vulnerability in the Microsoft Outlook platform that is triggered when a threat actor sends a message with a UNC path to a Server Message Block (SMB) (TCP port 445) share on a threat actor-controlled server. This security flaw is particularly dangerous as no user interaction is required.

The vulnerability was reported to have been exploited in attack efforts targeting government, military, energy and transportation organisations from April to December 2022. Stolen credentials were used for lateral movement purposes within target networks, with the intention of modifying Outlook mailbox folder permissions, a tactic that allows for email exfiltration for specific accounts.

Impact

Successful exploitation of CVE-2023-23397 could allow a threat actor to use a specially crafted email to cause Outlook to send new technology LAN manager (NTLM) authentication messages to an attacker-controlled SMB share, which could be subsequently applied to authenticate against other services offering NTLM authentication.

APT28 was detected to have sent malicious Outlook notes and tasks with the objective of stealing NTLM hashes, via NTLM negotiation requests, by forcing target devices to authenticate to attacker-controlled SMB shares.

Vulnerability Detection

A security patch for CVE-2023-23397 has been released by Microsoft. Previous versions of the correlating product versions therefore remain vulnerable to exploitation.

Affected Products

All supported versions of Microsoft Outlook for Windows are affected by CVE-2023-23397. However, it does not affect Outlook for Android, iOS, or macOS versions. Additionally, since online services such as Outlook on the web and Microsoft 365 do not support NTLM authentication, they are not vulnerable to attacks exploiting the vulnerability.

Containment, Mitigations & Remediations

It is strongly recommended that the relevant security patch is applied to the respective Microsoft products associated with CVE-2023-23397. The patch can be found directly at the Microsoft Patch Tuesday March 2023 Release Note. If it is not possible to patch the vulnerability immediately, it is advised that users block outbound TCP 445/SMB with a firewall or through the implementation of the relevant VPN settings.

Microsoft has released a PowerShell script that functions to allow administrators to determine whether or not any users within their Exchange environment have been targeted. This script also allows potentially malicious messages to be modified or deleted if they are found on the audited Exchange Server when run in Clean-up mode.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

Considering the network attack vector, the prevalence of SMB shares, and the lack of user interaction required, a threat actor with an established foothold on a target network could consider this vulnerability as a prime option for lateral movement purposes. More widespread attacks are likely to occur in the future as the patch is reverse-engineered and offensive security researchers identify the technical nuances of the exploit.

Threat Group

APT28 (also known as Fancy Bear, Pawn Storm, Sofacy, Strontium, Tsar Team, and Iron Twilight) is a Russian state-sponsored group that is attributed to the Russian Main Directorate/Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Unit 26165. The group has been operational since at least 2004 and conducts espionage against targeted entities for both intelligence gathering and hack and leak/Information Operations (IO).

 Mitre Methodologies

Tactics:

TA0004 – Privilege Escalation

Technique: Credential Access:

T1187 – Forced Authentication

Technique – Lateral Movement:

T1021.002 – Remote Services: SMB/Windows Admin Shares

Further Information

Bleeping Computer Article
Microsoft Blog
Forbes Article
The Stack Technology Report

Intelligence Terminology Yardstick