Russian hackers exploiting Outlook bug to hijack Exchange accounts

Trending 3 months ago


Microsoft's Threat Intelligence aggregation issued a admonishing beforehand today about the Russian state-sponsored abecedarian APT28 (aka "Fancybear" or "Strontium") actively base the CVE-2023-23397 Outlook blemish to annex Microsoft Exchange accounts and abduct acute information.

The targeted entities accommodate government, energy, transportation, and added key organizations in the United States, Europe, and the Middle East.

The tech behemothic additionally accent the corruption of added vulnerabilities with about accessible exploits in the aforementioned attacks, including CVE-2023-38831 in WinRAR and CVE-2021-40444 in Windows MSHTML.

Microsoft tweet

Outlook blemish corruption background

CVE-2023-23397 is a analytical acclivity of advantage (EoP) vulnerability in Outlook on Windows, which Microsoft anchored as a zero-day on the March 2023 Path Tuesday.

The acknowledgment of the blemish came with the adumbration that APT28 had been exploiting it back April 2022 via distinctively crafted Outlook addendum advised to abduct NTLM hashes, banishment the ambition accessories to accredit to attacker-controlled SMB shares after acute user interaction.

By adorning their privileges on the system, which was proven uncomplicated, APT28 performed crabbed movement in the victim's ambiance and afflicted Outlook mailbox permissions to accomplish targeted email theft.

Despite the availability of aegis updates and mitigation recommendations, the advance apparent remained significant, and a bypass of the fix (CVE-2023-29324) that followed in May worsened the situation.

Recorded Future warned in June that APT28 acceptable leveraged the Outlook flaw against key Ukrainian organizations. In October, the French cybersecurity agency (ANSSI) appear that the Russian hackers had used the zero-click attack against government entities, businesses, universities, analysis institutes, and anticipate tanks in France.

Attacks still ongoing

Microsoft's latest warning highlights that the GRU hackers still advantage CVE-2023-38831 in attacks, so there are still systems out there that abide accessible to the analytical EoP flaw.

The tech close has additionally acclaimed the assignment of the Polish Cyber Command Center (DKWOC) in allowance ascertain and stop the attacks. DKWOC also published a post describing APT28 action that leverages CVE-2023-38831.

The recommended action to booty appropriate now, listed by priority, is the following:

  • Apply the available security updates for CVE-2023-23397 and its bypass CVE-2023-29324.
  • Use this script by Microsoft to analysis if any Exchange users accept been targeted.
  • Reset passwords of compromised users and accredit MFA (multi-factor authentication) for all users.
  • Limit SMB cartage by blocking access to ports 135 and 445 from all entering IP addresses
  • Disable NTLM on your environment.

Given that APT28 is a awful able and adaptive blackmail group, the best able aegis action is to abate the advance apparent above all interfaces and ensure all software articles are consistently adapted with the latest aegis patches.