Hackers Actively Exploiting Outlook Privilege Escalation Flaw


Hackers target and exploit Outlook vulnerabilities because it is a widely used email platform, providing a large potential victim pool. 

Exploiting vulnerabilities in Outlook allows hackers to:-

  • Gain unauthorized access to sensitive information
  • Compromise systems
  • Execute malicious activities

Cybersecurity researchers at Microsoft recently identified that Forest Blizzard (STRONTIUM), a Russian nation-state group, is actively exploiting the “CVE-2023-23397” for unauthorized access to Exchange server email accounts. 

In collaboration with the Polish Cyber Command (DKWOC), Microsoft takes action against the threat actors behind this Russian nation-state group, Forest Blizzard.

Outlook Privilege Escalation Vulnerability

CVE-2023-23397 is marked as a critical Outlook vulnerability on Windows, and it’s a privilege escalation vulnerability that allows threat actors to exploit a crafted message triggering Net-NTLMv2 hash leak to their controlled server.

This critical privilege escalation vulnerability has affected all the Outlook versions on Windows, but it didn’t affect any version of the following platforms:-

  • Android
  • iOS
  • Mac
  • Web (OWA)

Utilizing Microsoft’s TNEF (Transport Neutral Encapsulation Format), this technique employs Winmail.dat attachments to transmit formatted email messages, including attachments and Outlook-specific features.

Outlook on Windows allows users to set custom reminder sounds, affecting the PidLidReminderFileParameter MAPI property.

Hackers Actively Exploiting Outlook Privilege Escalation Flaw
Setting a custom sound (Source – Microsoft)

Threat actors exploit this, using tools like MFCMAPI to manipulate properties, deceive users, and leak the Net-NTLMv2 hash of the signed-in Windows user.

Here below, we have mentioned all the post-exploitation actions:-

  • Initial access (authentication bypass): Exchange Servers vulnerable to Net-NTLMv2 Relay attack. The notable thing is that Azure AD, default for Exchange Online, is not directly susceptible, but a federated identity provider may be at risk.
  • Credential access/lateral movement: In exploiting Exchange Web Services (EWS) API, threat actors send malicious PidLidReminderFileParameter values to internal and external users.
  • Discovery/persistence: Exploiting EWS API, threat actors enumerate and alter folder permissions in a compromised user’s mailbox, granting unauthorized access. This persistence method ensures continued access even after password resets.

Recommendations

Here below, we have mentioned all the recommendations provided by the cybersecurity researchers:-

  • Make sure to update Microsoft Outlook promptly for mitigation. Implement recommended security practices to mitigate the threat if immediate patching is not feasible.
  • Apply the latest security updates for on-premises Microsoft Exchange Server to activate defense-in-depth mitigations.
  • If suspicious reminder values are detected, use the script to remove messages or properties and initiate incident response as needed.
  • Reset passwords for targeted users who received suspicious reminders and initiate an incident response for affected accounts.
  • Mitigate the impact of Net-NTLMv2 Relay attacks with the implementation of multifactor authentication.
  • Make sure that all the unnecessary services are disabled on Exchange.
  • Control SMB traffic by blocking ports 135 and 445, allowing only specified IP addresses on the allowlist.
  • In your environment, disable NTLM.



Source link