Get in Touch
Microsoft remediates Outlook zero-day exploited by Russian threat actors
Updated remediations and mitigation strategies for CVE-2023-23397 (24th March 2023)
Overview
CVE-2023-23397 is a critical elevation of privilege vulnerability in Microsoft Outlook on Windows. Threat actors can exploit this vulnerability by delivering a specially crafted message to a target user. This message includes the ‘PidLidReminderFileParameter’ extended Messaging Application Programming Interface (MAPI) property, which must be set to a Universal Naming Convention (UNC) path share on a threat actor-controlled server (via Server Message Block (SMB) / Transmission Control Protocol (TCP) port 445).
Upon recent investigation of CVE-2023-23397, several post-exploitation operations were observed. The presence of such artifacts could strongly suggest the compromise of target user accounts:
– Initial access (authentication bypass): Using a Net-NTLMv2 Relay attack against Exchange servers.
– Credential access/lateral movement: Using the Exchange Web Services (EWS) API to send additional messages with the malicious value of the PidLidReminderFileParameter extended MAPI property to users inside and external to the organisation.
– Discovery/persistence: Using the EWS API to enumerate folders in a compromised user’s mailbox and modifying the mailbox folder permissions using the UpdateFolder API, ensuring that any authenticated user can access all mailbox folder content with “owner” privileges. This technique establishes additional persistent access to contents of target mailboxes even if a password reset has occurred.
Updated Impact
Successful exploitation of CVE-2023-23397 allows threat actors to specify the value for the PidLidReminderFileParameter in specially crafted messages to trigger a Net-NTLMv2 hash leak to attacker-controlled servers.
Updated Vulnerability Detection
The advanced hunting module can be used within the Microsoft Defender for Endpoint portal whereby multiple tables can be queried simultaneously to uncover activities related to IP address indicators:
//Search for activity around IoAs
let IoCs = dynamic([“<IP Address 1>”,”<IP Address 2>”]);
let range = ago(30d);
union (DeviceProcessEvents | where Timestamp > range | where ProcessCommandLine has_any (IoCs)),
(DeviceNetworkEvents | where Timestamp > range | where RemoteIP in (IoCs) or LocalIP in (IoCs)),
(DeviceLogonEvents | where Timestamp > range | where RemoteIP in (IoCs))
| extend SignatureName = tostring(parse_json(AdditionalFields).SignatureName)
| project-reorder Timestamp, DeviceName, ActionType, LocalIP,RemoteIP, RemotePort,SignatureName,ProcessCommandLine
| sort by Timestamp desc
Additional approaches exist for identifying whether an organisation has been targeted, including:
– Reviewing suspicious messages, calendar items, or tasks with reminders that were reported by users
– Examining network logging and endpoint logging for evidence of known indicators of compromise
– Scanning Exchange for delivered messages with the PidLidReminderFileParameter set
– Hunting for anomalous behaviours based on NTLM authentication involving untrusted or external resources, WebDAV connection attempts through process execution events, SMBClient event log entries and firewall logs for suspicious outbound SMB connections.
Network perimeter telemetry and/or EDR data can be investigated for SMB connections involving external IP addresses as part of a larger threat hunting strategy. The following query can be used in the advanced hunting portal of Microsoft Defender for Endpoint to further associate SMB connections with Net-NTLMv2 behaviour:
//Hunt for SMB to the internet
let range = ago(30d);
DeviceNetworkEvents
| where Timestamp > range
//Connections have RemotePort set to 445
//NetworkSignatureInspected have LocalPort set to 445
| where RemotePort == 445 or LocalPort == 445
| where not(ipv4_is_private(RemoteIP)) or not(ipv4_is_private(LocalIP))
| extend SignatureName = tostring(parse_json(AdditionalFields).SignatureName)
| project-reorder Timestamp, DeviceName, ActionType, LocalIP,RemoteIP, LocalPort, RemotePort,SignatureName
| sort by Timestamp desc
Updated Indicators of Compromise
Network Indicators:
– 101.255.119[.]42
– 213.32.252[.]221
– 168.205.200[.]55
– 185.132.17[.]160
– 69.162.253[.]21
– 113.160.234[.]229
– 181.209.99[.]204
– 82.196.113[.]102
– 85.195.206[.]7
– 61.14.68[.]33
Updated Containment, Mitigations & Remediations
Ensure Microsoft Outlook is updated as soon as possible to mitigate the vulnerability. If the relevant patch cannot be applied immediately, it is strongly recommended that the best practices outlined below are followed to defend against this type of attack and the associated post-exploitation behaviour:
– Block TCP 445/SMB outbound from your network by using a perimeter firewall, local firewall, and through your VPN settings, where reasonably possible
– For organisations leveraging on-premises Microsoft Exchange Server, apply the latest security updates to ensure that defence-in-depth mitigations are active
– Where suspicious or malicious reminder values are observed, make sure to use the script to remove either the messages or just the properties, and consider initiating incident response activities
– Reset the passwords of any compromised account logged in to computers of which the user received suspicious reminders and initiate incident response activities
– Enforce the multi-factor authentication requirement to mitigate the impact of potential Net-NTLMv2 Relay attacks
– Disable unnecessary services on Exchange
– Where possible, limit SMB traffic by blocking connections on ports 135 and 445 from all inbound IP addresses except those on a controlled allowlist
– Where possible, disable NTLM in the environment.
Updated Further Information
Update – Proof-of-Concept exploit released for critical Microsoft vulnerability (15th March 2023 – 13:00 UTC)
Overview
A Proof-of-Concept (PoC) has been disclosed regarding the recently discovered Microsoft vulnerability, being tracked as CVE-2023-23397. The security flaw is a critical Elevation of Privilege (EoP) vulnerability in the Microsoft Outlook platform that allows threat actors to engage in the theft of password hashes by manipulating the New Technology LAN Manager (NTLM) authentication mechanism.
Microsoft released a PowerShell script that functions to allow administrators to determine whether or not any users within their Exchange environment have been targeted. This script also allows potentially malicious messages to be modified or deleted if they are found on the audited Exchange Server when run in clean-up mode.
Research relating to the PoC concluded the following:
– The script could search for the “PidLidReminderFileParameter” property inside the received mail items and remove it when present. This allows the sender to define the filename that the Outlook client should play when the message reminder is triggered
– The above findings allowed for the creation of a malicious Outlook email (.MSG) with a calendar appointment that would trigger the vulnerability and subsequently send the target’s NTLM hashes to an arbitrary server
– CVE-2023-23397 can be exploited to trigger authentication to an IP address that is outside of the Trusted Intranet Zone or Trusted Sites.
Updated Affected Products
All supported versions of Microsoft Outlook for Windows are affected by CVE-2023-23397. However, it does not affect Outlook for Android, iOS, or macOS versions. Additionally, since online services such as Outlook on the web and Microsoft 365 do not support NTLM authentication, they are not vulnerable to attacks exploiting the vulnerability.
Updated Containment, Mitigations & Remediations
It is strongly recommended that the relevant security patch is applied to the respective Microsoft products associated with CVE-2023-23397. The patch can be found directly at the Microsoft Patch Tuesday March 2023 Release Note. If it is not possible to patch the vulnerability immediately, it is advised that users block outbound TCP 445/SMB with a firewall or through the implementation of the relevant VPN settings.
Updated Further Information
Target Industry
Government, military, and critical infrastructure entities in Europe.
Overview
Severity level: CVE-2023-23397 (CVSSv3 base score of 9.8 – Critical Severity): Critical Elevation of Privilege vulnerability affecting Outlook for Windows compromise may result in the loss of confidentiality and integrity of data.
Microsoft has patched an Outlook zero-day vulnerability, tracked as CVE-2023-23397. The security flaw has been exploited by the threat actor group tracked as APT28, which is linked to Russia’s foreign military intelligence agency, GRU, to target European organisations. CVE-2023-23397 was reported by CERT-UA (the Computer Emergency Response Team for Ukraine), and it pertains to a critical Elevation of Privilege (EoP) vulnerability in the Microsoft Outlook platform that is triggered when a threat actor sends a message with a UNC path to a Server Message Block (SMB) (TCP port 445) share on a threat actor-controlled server. This security flaw is particularly dangerous as no user interaction is required.
The vulnerability was reported to have been exploited in attack efforts targeting government, military, energy and transportation organisations from April to December 2022. Stolen credentials were used for lateral movement purposes within target networks, with the intention of modifying Outlook mailbox folder permissions, a tactic that allows for email exfiltration for specific accounts.
Impact
Successful exploitation of CVE-2023-23397 could allow a threat actor to use a specially crafted email to cause Outlook to send new technology LAN manager (NTLM) authentication messages to an attacker-controlled SMB share, which could be subsequently applied to authenticate against other services offering NTLM authentication.
APT28 was detected to have sent malicious Outlook notes and tasks with the objective of stealing NTLM hashes, via NTLM negotiation requests, by forcing target devices to authenticate to attacker-controlled SMB shares.
Vulnerability Detection
A security patch for CVE-2023-23397 has been released by Microsoft. Previous versions of the correlating product versions therefore remain vulnerable to exploitation.
Affected Products
All supported versions of Microsoft Outlook for Windows are affected by CVE-2023-23397. However, it does not affect Outlook for Android, iOS, or macOS versions. Additionally, since online services such as Outlook on the web and Microsoft 365 do not support NTLM authentication, they are not vulnerable to attacks exploiting the vulnerability.
Containment, Mitigations & Remediations
It is strongly recommended that the relevant security patch is applied to the respective Microsoft products associated with CVE-2023-23397. The patch can be found directly at the Microsoft Patch Tuesday March 2023 Release Note. If it is not possible to patch the vulnerability immediately, it is advised that users block outbound TCP 445/SMB with a firewall or through the implementation of the relevant VPN settings.
Microsoft has released a PowerShell script that functions to allow administrators to determine whether or not any users within their Exchange environment have been targeted. This script also allows potentially malicious messages to be modified or deleted if they are found on the audited Exchange Server when run in Clean-up mode.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available at this time.
Threat Landscape
Considering the network attack vector, the prevalence of SMB shares, and the lack of user interaction required, a threat actor with an established foothold on a target network could consider this vulnerability as a prime option for lateral movement purposes. More widespread attacks are likely to occur in the future as the patch is reverse-engineered and offensive security researchers identify the technical nuances of the exploit.
Threat Group
APT28 (also known as Fancy Bear, Pawn Storm, Sofacy, Strontium, Tsar Team, and Iron Twilight) is a Russian state-sponsored group that is attributed to the Russian Main Directorate/Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Unit 26165. The group has been operational since at least 2004 and conducts espionage against targeted entities for both intelligence gathering and hack and leak/Information Operations (IO).
Mitre Methodologies
Tactics:
TA0004 – Privilege Escalation
Technique: Credential Access:
T1187 – Forced Authentication
Technique – Lateral Movement:
T1021.002 – Remote Services: SMB/Windows Admin Shares
Further Information
Bleeping Computer Article
Microsoft Blog
Forbes Article
The Stack Technology Report
