Microsoft has released a detailed guide to assist customers in detecting signs of compromise by exploiting a recently patched Outlook zero-day vulnerability.
This privilege escalation security flaw in the Outlook client for Windows, tracked as CVE-2023-23397, enables attackers to steal NTLM hashes without user interaction in NTLM-relay zero-click attacks.
It can be used by threat actors to send messages with extended MAPI properties containing UNC paths to attacker-controlled SMB shares. In the report, Microsoft shared several techniques for determining whether credentials were compromised by CVE-2023-23397 exploits, as well as mitigation measures to protect against future attacks.
While the company also released a script to assist administrators in determining whether any Exchange users have been targeted, Redmond stated that defenders must look for other signs of exploitation if the threat actors have cleaned up their traces by deleting any incriminating messages.
Alternative sources of indicators of compromise associated with this Outlook flaw include telemetry extracted from multiple sources such as firewall, proxy, VPN, and RDP Gateway logs, as well as Azure Active Directory sign-in logs for Exchange Online users and IIS Logs for Exchange Server.
Forensic endpoint data such as Windows event logs and endpoint telemetry from endpoint detection and response (EDR) solutions are other places security teams should look for signs of compromise (if available).
Post-exploitation indicators in compromised environments are associated with the targeting of Exchange EWS/OWA users and malicious mailbox folder permission changes that allow the attackers to gain persistent access to the victim's emails.
CVE-2023-23397 mitigation strategies
Microsoft also provided instructions on how to prevent future attacks on this vulnerability, urging organizations to install the recently released Outlook security update.
"To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication," the Microsoft Incident Response team said.
Other measures at-risk organizations can take to mitigate such attacks and post-exploitation behavior include:
- For organizations leveraging on-premises Microsoft Exchange Server, apply the latest security updates to ensure that defense-in-depth mitigations are active.
- Where suspicious or malicious reminder values are observed, make sure to use the script to remove either the messages or just the properties, and consider initiating incident response activities.
- For any targeted or compromised user, reset the passwords of any account logged in to computers of which the user received suspicious reminders and initiate incident response activities.
- Use multifactor authentication to mitigate the impact of potential Net-NTLMv2 Relay attacks. NOTE: This will not prevent a threat actor from leaking credentials and cracking them offline.
- Disable unnecessary services on Exchange.
- Limit SMB traffic by blocking connections on ports 135 and 445 from all inbound IP addresses except those on a controlled allowlist.
- Disable NTLM in your environment.
CVE-2023-23397 has been actively exploited since at least April 2022, and it has been used to breach the networks of at least 15 European government, military, energy, and transportation organizations.
While Microsoft publicly blamed the attacks on "a Russia-based threat actor," Redmond also stated in a private threat analytics report obtained by BleepingComputer that the hacking group is APT28 (also tracked as STRONTIUM, Sednit, Sofacy, and Fancy Bear).
This threat actor has previously been linked to Russia's military intelligence service, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). These stolen credentials were used for lateral movement and to change Outlook mailbox folder permissions, allowing them to exfiltrate emails.
"While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy. Even when users reported suspicious reminders on tasks, initial security review of the messages, tasks, or calendar items involved did not result in detection of the malicious activity. Furthermore, the lack of any required user interaction contributes to the unique nature of this vulnerability," the Microsoft Incident Response team added.