Microsoft acts against the threat actors that are behind Forest Blizzard in coordination with the Polish Cyber Command (DKWOC). As MS Outlook is a widely utilized email platform, there is a vast potential victim pool that hackers target & exploit. By taking advantage of Outlook's weaknesses, black hat hackers can:
- Gain Illegal Access to Sensitive Data
- Compromise User's Systems
- Carry Out Malicious Activities
Microsoft's cybersecurity experts have discovered that the Russian nation-state group Forest Blizzard (STRONTIUM) is actively using the vulnerability "CVE-2023-23397". They are doing it to gain illegal access to Exchange server email accounts.
Vulnerability of Outlook Privilege Escalation
Regarded as a critical Outlook vulnerability on Windows, CVE-2023-23397 is an escalation of privilege issue that allows threat actors to take advantage of a prepared message that causes a Net-NTLMv2 hash leak to their server. All Windows versions of Outlook are vulnerable to this significant privilege escalation issue, although none of the following platforms were affected:
- Web (OWA)
This method uses Winmail.dat attachments and Microsoft's TNEF (Transport Neutral Encapsulation Format) to send attachment emails and Outlook-specific capabilities. Custom reminder sounds can be specified in Outlook on Windows, which changes the PidLidReminderFileParameter MAPI property.
Threat actors take advantage of this by manipulating properties, tricking users, and leaking the Net-NTLMv2 hash of the Windows user who is signed in, all with the help of tools like MFCMAPI. We have listed every post-exploitation activity below:
- Initial Access (Authentication Bypass): Exchange servers that allow initial access are susceptible to a Net-NTLMv2 Relay attack. The important point is that while a federated identity provider can be vulnerable, Azure AD, the default for Exchange Online, is not directly vulnerable.
- Lateral Movement/Credential Access: Threat actors send malicious PidI dReminderFile Parameter values to internal and external users by abusing the Exchange Web Services (EWS) API.
- Persistence/Discovery: Threat actors list and modify folder permissions in a compromised user's inbox, allowing illegal access, by using the EWS API. The persistence technique guarantees access continuation even in the event of password resets.
Be on the lookout for online dangers! Combating post-exploitation behaviors such as lateral movement, authentication bypass, and persistence requires awareness.
All of the suggestions made by the cybersecurity researchers are listed below:
- For mitigation, be sure to upgrade Microsoft Outlook as soon as possible. If quick patching is not practical, then implement recommended security actions to mitigate the vulnerability.
- To enable defense-in-depth mitigations, apply the most recent security patches for Microsoft Exchange Server running on-premises.
- Use the script to remove messages or attributes and start incident response as necessary if suspicious reminder values are found.
- For users who were specifically targeted and sent ominous reminders, reset their passwords. For impacted accounts, start an incident response.
- By using multi factor authentication, you can lessen the impact of Net-NTLMv2 Relay attacks.
- In addition, you also need to verify that Exchange has all superfluous services turned off.
- Limit SMB traffic by permitting only the IP addresses listed on the allowlist and blocking ports 135 and 445.
- In your setup, turn off NTLM.
Take immediate action to enhance your cybersecurity posture using these suggestions! Upgrade Outlook, apply patches and implement recommended measures for robust protection.