Microsoft recently released a security advisory on a critical vulnerability, CVE-2023-23397, affecting its Outlook desktop client. This vulnerability has already been exploited by Russia-based threat actors in attacks targeting government, transportation, energy, and military sectors in Europe. The flaw relates to privilege escalation, which enables attackers to steal NT Lan Manager (NTLM) hashes and conduct a relay attack without requiring user interaction.
Microsoft's incident response team detected potential exploitation of the vulnerability as early as April 2022. The threat actors were able to modify mailbox folder permissions for persistent access after a successful Net-NTLMv2 Relay attack on an Exchange Server. Microsoft released a patch for the vulnerability as part of its Patch Tuesday updates for March 2023.
The exploit is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB share on a threat actor-controlled server. No user interaction is required. The connection to a remote SMB server sends the user a new technology LAN manager (NTLM) negotiation message, which is then relayed for authentication against supporting systems. Online services such as Microsoft 365 are not vulnerable to this exploit since they do not support NTLM authentication.
According to Microsoft Threat Intelligence, the vulnerability only affected Outlook for Windows, while macOS, iOS, Android, and web versions were unaffected. The company urges customers with 32-bit and 64-bit versions of Outlook to apply the patch to their Windows machines, including Outlook 2013, Outlook 2016, Outlook 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.
In conclusion, this critical vulnerability highlights the importance of timely security updates and patches to maintain the utmost security against cyber threats. It also emphasizes the need for organizations to remain vigilant and adopt best cybersecurity practices to protect themselves from potential attacks.
0 Comments