Hackers target and exploit Outlook vulnerabilities because it is a widely used email platform, providing a large potential victim pool.
Exploiting vulnerabilities in Outlook allows hackers to:-
- Gain unauthorized access to sensitive information
- Compromise systems
- Execute malicious activities
Cybersecurity researchers at Microsoft recently identified that Forest Blizzard (STRONTIUM), a Russian nation-state group, is actively exploiting the “CVE-2023-23397” for unauthorized access to Exchange server email accounts.
In collaboration with the Polish Cyber Command (DKWOC), Microsoft takes action against the threat actors behind this Russian nation-state group, Forest Blizzard.
Outlook Privilege Escalation Vulnerability
CVE-2023-23397 is marked as a critical Outlook vulnerability on Windows, and it’s a privilege escalation vulnerability that allows threat actors to exploit a crafted message triggering Net-NTLMv2 hash leak to their controlled server.
This critical privilege escalation vulnerability has affected all the Outlook versions on Windows, but it didn’t affect any version of the following platforms:-
- Android
- iOS
- Mac
- Web (OWA)
Utilizing Microsoft’s TNEF (Transport Neutral Encapsulation Format), this technique employs Winmail.dat attachments to transmit formatted email messages, including attachments and Outlook-specific features.
Outlook on Windows allows users to set custom reminder sounds, affecting the PidLidReminderFileParameter MAPI property.
Threat actors exploit this, using tools like MFCMAPI to manipulate properties, deceive users, and leak the Net-NTLMv2 hash of the signed-in Windows user.
Here below, we have mentioned all the post-exploitation actions:-
- Initial access (authentication bypass): Exchange Servers vulnerable to Net-NTLMv2 Relay attack. The notable thing is that Azure AD, default for Exchange Online, is not directly susceptible, but a federated identity provider may be at risk.
- Credential access/lateral movement: In exploiting Exchange Web Services (EWS) API, threat actors send malicious PidLidReminderFileParameter values to internal and external users.
- Discovery/persistence: Exploiting EWS API, threat actors enumerate and alter folder permissions in a compromised user’s mailbox, granting unauthorized access. This persistence method ensures continued access even after password resets.
Recommendations
Here below, we have mentioned all the recommendations provided by the cybersecurity researchers:-
- Make sure to update Microsoft Outlook promptly for mitigation. Implement recommended security practices to mitigate the threat if immediate patching is not feasible.
- Apply the latest security updates for on-premises Microsoft Exchange Server to activate defense-in-depth mitigations.
- If suspicious reminder values are detected, use the script to remove messages or properties and initiate incident response as needed.
- Reset passwords for targeted users who received suspicious reminders and initiate an incident response for affected accounts.
- Mitigate the impact of Net-NTLMv2 Relay attacks with the implementation of multifactor authentication.
- Make sure that all the unnecessary services are disabled on Exchange.
- Control SMB traffic by blocking ports 135 and 445, allowing only specified IP addresses on the allowlist.
- In your environment, disable NTLM.