Outlook’s Threat Unveiled: CVE-2023-23397 Exposed

In a recent analysis, InsiderSecurity delves into the intricacies of the Outlook vulnerability, CVE-2023-23397, shedding light on potential exploitation techniques and proposing early detection methods. As Microsoft rushes to address this vulnerability with a recent patch, the severity of the situation becomes evident, given its exploitation over the past year. With a CVSS score of 9.8, this vulnerability poses a substantial risk, impacting a range of Microsoft applications, including Outlook 2013 SP1 and Microsoft 365 apps for enterprise.

The gravity of CVE-2023-23397 is further heightened by its exploitation by a hacking group associated with Russia’s GRU military intelligence agency. This group has targeted European organizations in critical sectors, such as government, transportation, energy, and the military. As the security community grapples with this evolving threat, companies face a pressing need to not only patch their Outlook software promptly but also to implement robust measures for detecting potential compromises.

Exploiting CVE-2023-23397: Stealing the Net-NTLM Hash

One of the critical aspects of CVE-2023-23397 is its ability to allow attackers to steal the Net-NTLM hash from victims. This stolen hash can be leveraged by attackers to assume a victim’s identity and infiltrate deeper into organizational networks. The method of stealing the Net-NTLM hash involves tricking victims into accessing a UNC path, creating a scenario where the hash is leaked to the attacker.

While the ‘leaking’ of the Net-NTLM hash isn’t a novel concept, it becomes a vulnerability when exploited. Windows machines use this feature for communication, especially when Kerberos authentication is not feasible, as is the case when users communicate with machines in different domains or solely identified by their IP addresses. In such instances, the authentication type is downgraded from Kerberos to NTLM, automatically sending the user’s Net-NTLM hashes to the destination, which an attacker can exploit.

Exploitation Scenarios: The Impact of CVE-2023-23397

The impact of CVE-2023-23397 mirrors that of a successful Net-NTLM based attack. In all attack paths, the attacker initiates the exploit by sending a malicious email to the victim, prompting the victim’s machine to send its Net-NTLM hash to the attacker. Once in possession of the hash, the attacker has various options:

1. Attack Path 1: NTLM-Relay Attack
   • The attacker gains high privileged access to a Windows domain server by relaying the Net-NTLM hash of a privileged user to the domain server. This involves targeting a privileged user to send their Net-NTLM hash to a pre-compromised machine within the network.
2. Attack Path 2: Offline Password Cracking
   • The attacker attempts to recover the password from the stolen Net-NTLM hash through offline password cracking. This could lead to unauthorized access to the company’s network via VPN, allowing lateral movement from one asset to another.
3. Attack Path 3: Cloud Account Exploitation
   • Similar to Attack Path 2, the attacker seeks to recover the password from the stolen Net-NTLM hash, enabling them to log into the victim’s cloud account. This opens the door for further exploration of valuable data or secrets stored in the cloud and potential cloud-based attacks.

Detection Strategies: Safeguarding Against Exploits

InsiderSecurity proposes several strategies to detect successful Net-NTLM based exploits resulting from CVE-2023-23397 or similar vulnerabilities:

1. Monitoring TCP Connections:
   • Detection for TCP connections to port 445 (SMB) and port 80 (WebDAV) for both internal and external IP addresses. Special attention should be given to new destination IP addresses not observed in the past.
2. Location-Based Login Monitoring:
   • Detection of successful logins from accounts originating from new locations, whether from the cloud or on-premise.
3. Unusual NTLM Authentications:
   • Detection of NTLM authentications from accounts not typically involved in such processes, as successful Net-NTLM-Relay attacks often lead to pass-the-hash attacks.
4. Server Access Pattern Monitoring:
   • Monitoring changes in server access patterns, particularly when compromised accounts are used to access servers in suspicious ways.
5. Behavior Analytics:
   • Leveraging behavior analytics to detect changes, enabling users to identify Net-NTLM exploits, even in the context of newly discovered vulnerabilities.

Active Real Word Exploitation of This Vulnerability

The Russian threat group APT28, also known as Fancy Bear, has been implicated in a series of mass attack campaigns exploiting vulnerabilities in Microsoft Outlook and WinRAR, according to researchers from cybersecurity firm Proofpoint. The group, with ties to the Russian military, engaged in phishing activities, leveraging known flaws, specifically CVE-2023-23397 and CVE-2023-38831, since March 2023. These campaigns targeted sectors such as government, aerospace, education, finance, manufacturing, and technology in Europe and North America. A significant deviation from expected email volumes was noted in the exploitation of CVE-2023-23397, with over 10,000 emails sent from a single provider to defense, aerospace, technology, government, and manufacturing entities. It is unclear whether this was a mistake or a deliberate attempt to collect target credentials.

The WinRAR vulnerability (CVE-2023-32231) was exploited by APT28 in September 2023 to send malicious emails with geopolitical lures such as the BRICS Summit and a European Parliament meeting. These emails aimed to entice targets to open attachments containing RAR files that initiated remote code execution to extract NTLM credentials and information about victim systems. The researchers noted the group’s continued use of disclosed and patched vulnerabilities, suggesting a reliance on these flaws for initial access, possibly hoping that targets have not yet patched them.

In conclusion, as the cybersecurity community confronts the challenges presented by CVE-2023-23397, it is crucial for organizations to swiftly implement patches, enhance visibility, and adopt proactive strategies to detect and mitigate potential exploits. Staying vigilant and informed remains paramount in navigating the ever-evolving landscape of cybersecurity threats.