Microsoft’s Menace Intelligence crew issued a warning earlier at this time in regards to the Russian state-sponsored actor APT28 (aka “Fancybear” or “Strontium”) actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Change accounts and steal delicate data.
The focused entities embody authorities, power, transportation, and different key organizations in the USA, Europe, and the Center East.
The tech large additionally highlighted the exploitation of different vulnerabilities with publicly accessible exploits in the identical assaults, together with CVE-2023-38831 in WinRAR and CVE-2021-40444 in Home windows MSHTML.
Outlook flaw exploitation background
CVE-2023-23397 is a vital elevation of privilege (EoP) vulnerability in Outlook on Home windows, which Microsoft mounted as a zero-day on the March 2023 Path Tuesday.
The disclosure of the flaw got here with the revelation that APT28 had been exploiting it since April 2022 by way of specifically crafted Outlook notes designed to steal NTLM hashes, forcing the goal units to authenticate to attacker-controlled SMB shares with out requiring consumer interplay.
By elevating their privileges on the system, which was confirmed uncomplicated, APT28 carried out lateral motion within the sufferer’s atmosphere and altered Outlook mailbox permissions to carry out focused e mail theft.
Regardless of the supply of security updates and mitigation suggestions, the assault floor remained important, and a bypass of the repair (CVE-2023-29324) that adopted in Could worsened the state of affairs.
Recorded Future warned in June that APT28 doubtless leveraged the Outlook flaw in opposition to key Ukrainian organizations. In October, the French cybersecurity company (ANSSI) revealed that the Russian hackers had used the zero-click assault in opposition to authorities entities, companies, universities, analysis institutes, and assume tanks in France.
Attacks nonetheless ongoing
Microsoft’s newest warning highlights that the GRU hackers nonetheless leverage CVE-2023-38831 in assaults, so there are nonetheless programs on the market that stay weak to the vital EoP flaw.
The tech agency has additionally famous the work of the Polish Cyber Command Middle (DKWOC) in serving to detect and cease the assaults. DKWOC additionally revealed a publish describing APT28 exercise that leverages CVE-2023-38831.
The really helpful motion to take proper now, listed by precedence, is the next:
- Apply the accessible security updates for CVE-2023-23397 and its bypass CVE-2023-29324.
- Use this script by Microsoft to examine if any Change customers have been focused.
- Reset passwords of compromised customers and allow MFA (multi-factor authentication) for all customers.
- Restrict SMB visitors by blocking connections to ports 135 and 445 from all inbound IP addresses
- Disable NTLM in your atmosphere.
On condition that APT28 is a extremely resourceful and adaptive risk group, the simplest protection technique is to scale back the assault floor throughout all interfaces and guarantee all software program merchandise are commonly up to date with the newest security patches.
