Hackers target and exploit Outlook vulnerabilities because it is a widely used email platform, providing a large potential victim pool.
Exploiting vulnerabilities in Outlook allows hackers to:-
-
Gain unauthorized access to sensitive information
-
Compromise systems
-
Execute malicious activities
Cybersecurity researchers at Microsoft recently identified that Forest Blizzard (STRONTIUM), a Russian nation-state group, is actively exploiting the “CVE-2023-23397” for unauthorized access to Exchange server email accounts.
In collaboration with the Polish Cyber Command (DKWOC), Microsoft takes action against the threat actors behind this Russian nation-state group, Forest Blizzard.
Outlook Privilege Escalation Vulnerability
CVE-2023-23397 is marked as a critical Outlook vulnerability on Windows, and it’s a privilege escalation vulnerability that allows threat actors to exploit a crafted message triggering Net-NTLMv2 hash leak to their controlled server.
This critical privilege escalation vulnerability has affected all the Outlook versions on Windows, but it didn’t affect any version of the following platforms:-
-
Android
-
iOS
-
Mac
-
Web (OWA)
Utilizing Microsoft’s TNEF (Transport Neutral Encapsulation Format), this technique employs Winmail.dat attachments to transmit formatted email messages, including attachments and Outlook-specific features.
Outlook on Windows allows users to set custom reminder sounds, affecting the PidLidReminderFileParameter MAPI property.
Setting a custom sound (Source – Microsoft)
Threat actors exploit this, using tools like MFCMAPI to manipulate properties, deceive users, and leak the Net-NTLMv2 hash of the signed-in Windows user.
Here below, we have mentioned all the post-exploitation actions:-
-
Initial access (authentication bypass): Exchange Servers vulnerable to Net-NTLMv2 Relay attack. The notable thing is that Azure AD, default for Exchange Online, is not directly susceptible, but a federated identity provider may be at risk.
-
Credential access/lateral movement: In exploiting Exchange Web Services (EWS) API, threat actors send malicious PidLidReminderFileParameter values to internal and external users.
-
Discovery/persistence: Exploiting EWS API, threat actors enumerate and alter folder permissions in a compromised user’s mailbox, granting unauthorized access. This persistence method ensures continued access even after password resets.
Recommendations
Here below, we have mentioned all the recommendations provided by the cybersecurity researchers:-
-
Make sure to update Microsoft Outlook promptly for mitigation. Implement recommended security practices to mitigate the threat if immediate patching is not feasible.
-
Apply the latest security updates for on-premises Microsoft Exchange Server to activate defense-in-depth mitigations.
-
If suspicious reminder values are detected, use the script to remove messages or properties and initiate incident response as needed.
-
Reset passwords for targeted users who received suspicious reminders and initiate an incident response for affected accounts.
-
Mitigate the impact of Net-NTLMv2 Relay attacks with the implementation of multifactor authentication.
-
Make sure that all the unnecessary services are disabled on Exchange.
-
Control SMB traffic by blocking ports 135 and 445, allowing only specified IP addresses on the allowlist.
-
In your environment, disable NTLM.
