Microsoft recently discovered Russian state-sponsored hacker group APT28 (“Fancybear” or “Strontium”) exploiting a critical Outlook flaw to gain access to Microsoft Exchange accounts and steal their critical information. This Cybersecurity Threat Advisory looks at the threat and recommendations to protect against it.
What is the threat?
The security vulnerability, known as CVE-2023-23397, is a critical escalation of privilege (EoP) bug. It allows attackers to access a user’s Net-NTLMv2 hash to conduct relay attacks against another service, masquerade as legitimate users. APT28 has been exploiting it since April 2022 using specifically designed Outlook notes to steal NTLM hashes. This has led to the target device to authenticate to attacker-controlled SMB shares without any user interaction.
Why is it noteworthy?
This is a bug which was supposedly patched by Microsoft in March 2023. According to the Polish Cyber Command (DKWOC), the goal of APT28 is to gain access to mailboxes belonging to public and private entities. Following access, APT28 then modifies folder permissions within the victim’s mailbox, changing the default permissions of the “Default” group to “Owner.” This causes the folders with this permission to be read by any authenticated person, allowing the threat actor to extract vital information.
What is the exposure or risk?
Microsoft previously disclosed that CVE-2023-23397 had been weaponized by Russian threat actors as a zero-day vulnerability in previous attacks against government, transportation, energy, and military sectors throughout Europe since April 2022. Additionally, in June 2023, cybersecurity firm Recorded Future revealed a spear-phishing campaign orchestrated by APT28 to exploit numerous vulnerabilities in Roundcube, an open-source webmail software, noting that the campaign coincides with activities that use CVE-2023-23397.
What are the recommendations?
CSB recommends the following actions to protect your environment against this vulnerability:
- Implement security patches for CVE-2023-23397 and its corresponding bypass CVE-2023-29324.
- Reset passwords of compromised users and enable multi-factor authentication for all users.
- Enhance security by restricting SMB traffic; block connections to ports 135 and 445 from all incoming IP addresses.
- Strengthen your environment’s security by deactivating NTLM.