Safeguarding digital ecosystems demands a nuanced understanding of malicious software, or malware. As threats evolve, so must our analytical approaches. Therefore, many security researchers are trying each day to figure ...
In a recent analysis, InsiderSecurity delves into the intricacies of the Outlook vulnerability, CVE-2023-23397, shedding light on potential exploitation techniques and proposing early detection methods. As Microsoft rushes to address this vulnerability with a recent patch, the severity of the situation becomes evident, given its exploitation over the past year. With a CVSS score of 9.8, this vulnerability poses a substantial risk, impacting a range of Microsoft applications, including Outlook 2013 SP1 and Microsoft 365 apps for enterprise.
The gravity of CVE-2023-23397 is further heightened by its exploitation by a hacking group associated with Russia’s GRU military intelligence agency. This group has targeted European organizations in critical sectors, such as government, transportation, energy, and the military. As the security community grapples with this evolving threat, companies face a pressing need to not only patch their Outlook software promptly but also to implement robust measures for detecting potential compromises.
One of the critical aspects of CVE-2023-23397 is its ability to allow attackers to steal the Net-NTLM hash from victims. This stolen hash can be leveraged by attackers to assume a victim’s identity and infiltrate deeper into organizational networks. The method of stealing the Net-NTLM hash involves tricking victims into accessing a UNC path, creating a scenario where the hash is leaked to the attacker.
While the ‘leaking’ of the Net-NTLM hash isn’t a novel concept, it becomes a vulnerability when exploited. Windows machines use this feature for communication, especially when Kerberos authentication is not feasible, as is the case when users communicate with machines in different domains or solely identified by their IP addresses. In such instances, the authentication type is downgraded from Kerberos to NTLM, automatically sending the user’s Net-NTLM hashes to the destination, which an attacker can exploit.
The impact of CVE-2023-23397 mirrors that of a successful Net-NTLM based attack. In all attack paths, the attacker initiates the exploit by sending a malicious email to the victim, prompting the victim’s machine to send its Net-NTLM hash to the attacker. Once in possession of the hash, the attacker has various options:
InsiderSecurity proposes several strategies to detect successful Net-NTLM based exploits resulting from CVE-2023-23397 or similar vulnerabilities:
The Russian threat group APT28, also known as Fancy Bear, has been implicated in a series of mass attack campaigns exploiting vulnerabilities in Microsoft Outlook and WinRAR, according to researchers from cybersecurity firm Proofpoint. The group, with ties to the Russian military, engaged in phishing activities, leveraging known flaws, specifically CVE-2023-23397 and CVE-2023-38831, since March 2023. These campaigns targeted sectors such as government, aerospace, education, finance, manufacturing, and technology in Europe and North America. A significant deviation from expected email volumes was noted in the exploitation of CVE-2023-23397, with over 10,000 emails sent from a single provider to defense, aerospace, technology, government, and manufacturing entities. It is unclear whether this was a mistake or a deliberate attempt to collect target credentials.
The WinRAR vulnerability (CVE-2023-32231) was exploited by APT28 in September 2023 to send malicious emails with geopolitical lures such as the BRICS Summit and a European Parliament meeting. These emails aimed to entice targets to open attachments containing RAR files that initiated remote code execution to extract NTLM credentials and information about victim systems. The researchers noted the group’s continued use of disclosed and patched vulnerabilities, suggesting a reliance on these flaws for initial access, possibly hoping that targets have not yet patched them.
In conclusion, as the cybersecurity community confronts the challenges presented by CVE-2023-23397, it is crucial for organizations to swiftly implement patches, enhance visibility, and adopt proactive strategies to detect and mitigate potential exploits. Staying vigilant and informed remains paramount in navigating the ever-evolving landscape of cybersecurity threats.
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).
Undoubtedly, ChatGPT stands out as one of the most remarkable inventions of 2021. Its wide-ranging capabilities and applications have opened up endless possibilities for human interaction and problem-solving. Furthermore, certain [...]