Headline
Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group
By Waqas Forest Blizzard (aka STRONTIUM, APT28, and Fancy Bear) is thought to have affiliations with or support from the Russian military intelligence agency. This is a post from HackRead.com Read the original post: Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group
Microsoft urges customers to install Exchange Server security patch and update WinRAR to thwart Forest Blizzard hackers.
In March 2023, Microsoft’s Threat Protection Intelligence team identified a critical vulnerability (CVE-2023-23397) that exposed Microsoft Outlook customers to potential exploitation by threat actors. The vulnerability allowed attackers to steal Net-NTLMv2 hashes and gain access to user accounts.
The vulnerability is caused by a specially crafted email message sent to a user. Upon opening the message, the user’s Net-NTLMv2 hash is transmitted to the attacker, who can subsequently leverage the hash to pilfer the user’s password.
Threat actor exploiting the vulnerability to gain unauthorized access to Exchange Server (1) – Threat actor activity to extend their access in a compromised environment by using a compromised e-mail account (2) (Credit: Microsoft)
Now, in an updated blog post, the team has revealed that it has found evidence that the vulnerability has been exploited by the threat actor group Forest Blizzard (aka STRONTIUM, APT28, and Fancy Bear) to attack organizations.
For your information, the group is thought to have affiliations with or support from the Russian military intelligence agency. Notably, this is the same group allegedly led by Russian GRU officer Lieutenant Colonel Sergey Alexandrovich Morgachev, whose email address was compromised by the Ukrainian hacktivist group Cyber Resistance in April 2023.
Forest Blizzard is known for its focus on critical infrastructure, including government entities, energy sectors, transportation systems, and non-governmental organizations. Its operations extend to the Middle East, the United States, and Europe.
In its December 4 blog post Microsoft also highlighted that as of September 2023, Forest Blizzard had exploited a 0-day vulnerability in WinRAR, which was initially identified in August 2023 (CVE-2023-38831). By that time, multiple Advanced Persistent Threat (APT) groups had already targeted 130 organizations, successfully pilfering funds from traders.
Despite the availability of a patch for WinRAR’s 0-day vulnerability, threat actors persist in targeting systems that continue to use the unpatched version of the software.
The good news is that Microsoft collaborated with the Polish Cyber Command (DKWOC) to counter Forest Blizzard’s actions. At the time of writing, Microsoft had released a patch for the vulnerability (CVE-2023-23397).
The patch is available for all supported versions of Outlook. Users are urged to install the patch as soon as possible.
****Takeaway****
Microsoft Exchange customers should promptly install the latest security patches and update to the latest version. Users of WinRAR are also advised to update to mitigate the risk of falling victim to the Forest Blizzard APT group.
In addition to installing the patch, users can also take the following steps to protect themselves from this vulnerability:
- Use a strong password for your Outlook account.
- Be careful about the email messages that you open.
- Enable two-factor authentication for your Outlook account.
- Do not open email messages from unknown senders or email messages that contain attachments.
****RELATED ARTICLES****
- Fancy Bears Hacked IAAF – Athletes’ Data Stolen
- Fancy Bear’s VPNfilter malware is back with 7 new modules
- Anti-theft software LoJack hijacked by Russian Fancy Bear group
- Ukraine Hacks Russia’s Aviation Agency, Claims “Aviation Cannibalism”
- Fancy Bear Hackers Distributing Graphite Malware using PowerPoint Files
Related news
By Waqas The #MonikerLink security flaw in Microsoft Outlook allows hackers to execute arbitrary code on the targeted device. This is a post from HackRead.com Read the original post: New MonikerLink Flaw Exposes Outlook Users to Data Theft and Malware
Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide. The attacks, attributed to an "aggressive" hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with
Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering. The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE. "New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate
Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction. "An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients," Akamai security
The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and
Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the monikers APT28,
A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan
A hacking group that leveraged a recently disclosed security flaw in the WinRAR software as a zero-day has now been categorized as an entirely new advanced persistent threat (APT). Cybersecurity company NSFOCUS has described DarkCasino as an "economically motivated" actor that first came to light in 2021. "DarkCasino is an APT threat actor with strong technical and learning ability, who is good
The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat. Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a
By Deeba Ahmed All a user needs to do is visit the official WinRAR website and install the latest version to thwart the attack. This is a post from HackRead.com Read the original post: APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
A number of state-back threat actors from Russia and China have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations. The vulnerability in question is CVE-2023-38831 (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively
A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with VenomRAT malware. "The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as
This Metasploit module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.
Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]
By Habiba Rashid The 0-day vulnerability in WinRAR, which has been exploited, is targeting traders and has successfully stolen funds from 130 victims so far. This is a post from HackRead.com Read the original post: WinRAR users update your software as 0-day vulnerability is found
RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "
Hello everyone! This episode will be about Microsoft Patch Tuesday for March 2023, including vulnerabilities that were added between February and March Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239119 As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI […]
Facebook users are notoriously the biggest offenders for sharing fake news and misinformation.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine.
Cisco Talos is urging all users to update Microsoft Outlook after the discovery of a critical vulnerability, CVE-2023-23397, in the email client that attackers are actively exploiting in the wild.
Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.
Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The
Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: March Tags: 2023 Tags: Microsoft Tags: Adobe Tags: Fortinet Tags: Android Tags: SAP Tags: CVE-2023-23397 Tags: CVE-2023-24880 Tags: CVE-2023-26360 Tags: CVE-2022-41328 This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one. (Read more...) The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.
Microsoft Outlook Elevation of Privilege Vulnerability