![]() ![]() Threat actors can exploit the vulnerability by sending messages with extended MAPI properties containing UNC paths to an SMB share (TCP 445) under their control. It is a critical Outlook elevation of privilege security flaw that can be exploited without user interaction in low-complexity attacks. The vulnerability (CVE-2023-23397) was reported by CERT-UA, Ukraine’s Computer Emergency Response Team. Microsoft shared this information in a private threat analytics report available to customers with Microsoft 365 Defender, Microsoft Defender for Business, or Microsoft Defender for Endpoint Plan 2 subscriptions. ![]() The stolen credentials were then used for lateral movement within the victims’ networks and for changing Outlook mailbox folder permissions, enabling email exfiltration for specific accounts. The hackers sent malicious Outlook notes and tasks to steal NTLM hashes via NTLM negotiation requests, forcing targeted devices to authenticate to attacker-controlled SMB shares. The hacking group, known under various names such as APT28, STRONTIUM, Sednit, Sofacy, and Fancy Bear, used the security flaw to target European organizations in sectors including government, military, energy, and transportation between April and December 2022. Microsoft has fixed a zero-day vulnerability (CVE-2023-23397) in Outlook that was exploited by a hacking group with ties to Russia’s military intelligence service, GRU. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |