Microsoft right now revealed an in depth information aiming to assist prospects uncover indicators of compromise through exploitation of a not too long ago patched Outlook zero-day vulnerability.
Tracked as CVE-2023-23397, this privilege escalation safety flaw within the Outlook shopper for Windows allows attackers to steal NTLM hashes with out consumer interplay in NTLM-relay zero-click assaults.
The risk actors can exploit it by sending messages with prolonged MAPI properties containing UNC paths to attacker-controlled SMB shares.
In right now’s report, Microsoft shared a number of strategies to find if credentials have been compromised through CVE-2023-23397 exploits, in addition to mitigation measures to defend towards future assaults.
While the corporate additionally launched a script to assist admins test if any Exchange customers have been focused, Redmond mentioned that defenders need to search for different indicators of exploitation if the risk actors have cleaned up their traces by deleting any incriminating messages.
Alternate sources of indicators of compromise linked to this Outlook flaw embody telemetry extracted from a number of sources equivalent to firewall, proxy, VPN, and RDP Gateway logs, in addition to Azure Active Directory sign-in logs for Exchange Online customers, and IIS Logs for Exchange Server.
Other locations safety groups ought to test for indicators of compromise are forensic endpoint knowledge like Windows occasion logs and endpoint telemetry from endpoint detection and response (EDR) options (if obtainable).
In compromised environments, post-exploitation indicators are linked to the concentrating on of Exchange EWS/OWA customers and malicious mailbox folder permission adjustments permitting the attackers to realize persistent entry to the victims’ emails.
CVE-2023-23397 mitigation measures
Microsoft additionally shared steering on easy methods to block future assaults concentrating on this vulnerability, urging organizations to put in the not too long ago launched Outlook safety replace.
“To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication,” the Microsoft Incident Response staff mentioned.
Other measures at-risk organizations can take to mitigate such assaults and post-exploitation conduct embody:
- For organizations leveraging on-premises Microsoft Exchange Server, apply the most recent safety updates to make sure that defense-in-depth mitigations are lively.
- Where suspicious or malicious reminder values are noticed, be sure that to make use of the script to take away both the messages or simply the properties, and contemplate initiating incident response actions.
- For any focused or compromised consumer, reset the passwords of any account logged in to computer systems of which the consumer obtained suspicious reminders and provoke incident response actions.
- Use multifactor authentication to mitigate the influence of potential Net-NTLMv2 Relay assaults. NOTE: This won’t forestall a risk actor from leaking credentials and cracking them offline.
- Disable pointless providers on Exchange.
- Limit SMB site visitors by blocking connections on ports 135 and 445 from all inbound IP addresses besides these on a managed allowlist.
- Disable NTLM in your setting.
Exploited by Russian army hackers
CVE-2023-23397 has been underneath lively exploitation since a minimum of April 2022 and was used to breach the networks of a minimum of 15 authorities, army, vitality, and transportation organizations in Europe.
While Microsoft publicly linked these assaults to “a Russia-based threat actor,” Redmond additionally mentioned in a non-public risk analytics report seen by BleepingComputer that it believes the hacking group is APT28 (additionally tracked as STRONTIUM, Sednit, Sofacy, and Fancy Bear).
This risk actor has been beforehand linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), Russia’s army intelligence service.
The credentials they stole in these assaults have been used for lateral motion and to alter Outlook mailbox folder permissions, a tactic that allowed them to exfiltrate emails from particular accounts.
“While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy,” the Microsoft Incident Response staff added.
“Even when users reported suspicious reminders on tasks, initial security review of the messages, tasks, or calendar items involved did not result in detection of the malicious activity. Furthermore, the lack of any required user interaction contributes to the unique nature of this vulnerability.”