Microsoft’s Menace Intelligence crew issued a warning earlier at present concerning the Russian state-sponsored actor APT28 (aka “Fancybear” or “Strontium”) actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Change accounts and steal delicate data.
The focused entities embrace authorities, vitality, transportation, and different key organizations in the US, Europe, and the Center East.
The tech big additionally highlighted the exploitation of different vulnerabilities with publicly obtainable exploits in the identical assaults, together with CVE-2023-38831 in WinRAR and CVE-2021-40444 in Home windows MSHTML.
Outlook flaw exploitation background
CVE-2023-23397 is a vital elevation of privilege (EoP) vulnerability in Outlook on Home windows, which Microsoft fastened as a zero-day on the March 2023 Path Tuesday.
The disclosure of the flaw got here with the revelation that APT28 had been exploiting it since April 2022 by way of specifically crafted Outlook notes designed to steal NTLM hashes, forcing the goal units to authenticate to attacker-controlled SMB shares with out requiring consumer interplay.
By elevating their privileges on the system, which was confirmed uncomplicated, APT28 carried out lateral motion within the sufferer’s surroundings and altered Outlook mailbox permissions to carry out focused e mail theft.
Regardless of the supply of safety updates and mitigation suggestions, the assault floor remained vital, and a bypass of the repair (CVE-2023-29324) that adopted in Might worsened the state of affairs.
Recorded Future warned in June that APT28 doubtless leveraged the Outlook flaw in opposition to key Ukrainian organizations. In October, the French cybersecurity company (ANSSI) revealed that the Russian hackers had used the zero-click assault in opposition to authorities entities, companies, universities, analysis institutes, and assume tanks in France.
Assaults nonetheless ongoing
Microsoft’s newest warning highlights that the GRU hackers nonetheless leverage CVE-2023-38831 in assaults, so there are nonetheless programs on the market that stay susceptible to the vital EoP flaw.
The tech agency has additionally famous the work of the Polish Cyber Command Heart (DKWOC) in serving to detect and cease the assaults. DKWOC additionally printed a publish describing APT28 exercise that leverages CVE-2023-38831.
The advisable motion to take proper now, listed by precedence, is the next:
- Apply the obtainable safety updates for CVE-2023-23397 and its bypass CVE-2023-29324.
- Use this script by Microsoft to test if any Change customers have been focused.
- Reset passwords of compromised customers and allow MFA (multi-factor authentication) for all customers.
- Restrict SMB visitors by blocking connections to ports 135 and 445 from all inbound IP addresses
- Disable NTLM in your surroundings.
Provided that APT28 is a extremely resourceful and adaptive menace group, the simplest protection technique is to scale back the assault floor throughout all interfaces and guarantee all software program merchandise are often up to date with the most recent safety patches.
