Microsoft Cautions Users to Kremlin-Backed APT28 Benefiting of Outlook Vulnerability

Microsoft announced on Monday that it had discovered nation-state activity, backed by the Kremlin, that was taking advantage of a serious security fault in its Outlook email service. The malicious actors used this security fault to access victims' accounts on MS. Exchange servers without authorization.

The IT giant identified Forest Blizzard (previously Strontium) as the Kremlin responsible for the intrusions. This malicious actor is known by the tracking IDs APT28, BlueDelta, Fancy Bear, FROZENLAKE, Iron Twilight, Sednit, and Sofacy as well.

CVE-2023-23397 (CVSS score: 9.8) is the security flaw under consideration. It is a significant privilege escalation problem that might provide an adversary access to a user's Net-NTLMv2 hash. Then, the hackers can use it to launch a relay attack against another service to verify their identity as the user.

Microsoft released a patch for it in March 2023. The Polish Cyber Command (DKWOC) stated that the objective was to get unauthorized access to mailboxes owned by both public and private organizations across the nation.

"In the next stage of malicious activity, the adversary modifies folder permissions within the victim's mailbox," stated DKWOC. "In most cases, the modifications are to change the default permissions of the 'Default' group (all authenticated users in the Exchange organization) from 'None' to 'Owner.'"

By doing this, the Kremlin can obtain important data from high-value targets by allowing any authenticated individual within the company to read the contents of mailbox folders that have been granted this permission.

"It should be emphasized that the introduction of such modifications allows for the maintenance of unauthorized access to the contents of the mailbox even after losing direct access to it," DKWOC warned.

Microsoft previously revealed that since April 2022, threat actors located in Russia have been using the security flaw as a zero-day malware mechanism against the European government, transportation, energy, and military sectors.

Then, in June 2023, cybersecurity company Recorded Future disclosed specifics of a phishing attack campaign run by APT28. It took advantage of several flaws in the open-source Roundcube webmail program. Also, the report pointed out that the campaign coincides with actions that utilize the weakness in Microsoft Outlook.

Also, the French National Cybersecurity Agency (ANSSI) accused the hacking group of using vulnerabilities in late October, including CVE-2023-23397, to target companies, government agencies, academic institutions, research centers, and think tanks since the second half of 2021.

According to assessments, the state-sponsored group is associated with Unit 26165 of the Ministry of Defense's foreign intelligence branch, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

It has also been linked, in recent months, to attacks on several French & Ukrainian organizations, in addition to the misuse of the WinRAR vulnerability (CVE-2023-38831) to steal browser login credentials through the usage of a PowerShell script called IRONJAW.

"Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities," Microsoft claimed.

Because Microsoft Outlook is widely used in business settings, it is a beneficial attack vector geometry and "one of the critical 'gateways' responsible for introducing various cyber threats into organizations," according to Check Point, which outlined many ways that malicious actors could exploit the service to distribute their exploits.