Microsoft recently released important guidance for its users following the discovery of a significant vulnerability in Outlook, designated as CVE-2023-23397, which carries a high CVSS score of 9.8. This critical flaw primarily involves privilege escalation, enabling attackers to exploit it for the theft of NT LAN Manager (NTLM) hashes, potentially facilitating a relay attack without any user interaction.
External attackers can initiate the compromise by sending specially crafted emails that trigger a connection from the target’s environment to an untrusted server controlled by the perpetrator. Microsoft has highlighted that this connection could inadvertently expose the victim’s Net-NTLMv2 hash to an attacker-controlled network, allowing for unauthorized authentication as the victim.
The flaw was addressed in March 2023 as part of Microsoft’s Patch Tuesday updates; however, it is suspected that Russia-based threat actors had already weaponized this vulnerability to launch attacks against various sectors, including government, energy, transportation, and military organizations in Europe prior to the patch release.
Reports from Microsoft’s incident response team suggest that exploitation attempts may have begun as early as April 2022. In a notable incident, a successful relay attack enabled an unauthorized individual to access an Exchange Server and adjust mailbox folder permissions, creating a backdoor for continued access within the compromised environment.
Subsequently, the attackers exploited the compromised email account to further their intrusion by sending additional malicious communications to other members within the same organization. While the technique of utilizing NTLMv2 hashes for unauthorized access isn’t new, the specific exploitation model of CVE-2023-23397 is described as both stealthy and innovative by Microsoft.
To mitigate the risks associated with this vulnerability, organizations are advised to conduct thorough reviews of SMBClient event logging, Process Creation events, and other relevant network telemetry, in order to identify any signs of exploitation linked to CVE-2023-23397.
This advisory follows the U.S. Cybersecurity and Infrastructure Security Agency (CISA) releasing a new open-source tool designed to assist in identifying suspicious activity within Microsoft cloud environments. Known as the Untitled Goose Tool, this utility enables users to analyze Microsoft Azure, Azure Active Directory, and Microsoft 365 environments using advanced data collection and authentication methods.
In light of recent incidents, Microsoft has also reminded its customers to ensure their on-premises Exchange servers are kept current and to take necessary precautions to enhance their network defenses against potential threats. The proactive steps taken by these organizations could be critical in avoiding future exploits tied to sophisticated attack vectors like CVE-2023-23397, which are categorized under MITRE ATT&CK tactics related to initial access, privilege escalation, and persistence.
As the cybersecurity landscape continues to evolve, it is imperative for business owners to stay informed and vigilant against potential vulnerabilities that could compromise their operations.