Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft Warns of Stealthy Outlook Vulnerability Exploited by Russian Hackers

Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability. Tracked as CVE-2023-23397 (CVSS score: 9.8), the critical flaw relates to a case of privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction. "External

The Hacker News
#vulnerability#web#microsoft#samba#auth#The Hacker News

Enterprise Security / Microsoft

Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability.

Tracked as CVE-2023-23397 (CVSS score: 9.8), the critical flaw relates to a case of privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction.

“External attackers could send specially crafted emails that will cause a connection from the victim to an untrusted location of attackers’ control,” the company noted in an advisory released this month.

"This will leak the Net-NTLMv2 hash of the victim to the untrusted network which an attacker can then relay to another service and authenticate as the victim.

The vulnerability was resolved by Microsoft as part of its Patch Tuesday updates for March 2023, but not before Russia-based threat actors weaponized the flaw in attacks targeting government, transportation, energy, and military sectors in Europe.

Microsoft’s incident response team said it found evidence of potential exploitation of the shortcoming as early as April 2022.

In one attack chain described by the tech giant, a successful Net-NTLMv2 Relay attack enabled the threat actor to gain unauthorized access to an Exchange Server and modify mailbox folder permissions for persistent access.

The compromised email account was then used to extend the adversary’s access within the compromised environment by sending additional malicious messages to target other members of the same organization.

“While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy,” Microsoft said.

“Organizations should review SMBClient event logging, Process Creation events, and other available network telemetry to identify potential exploitation via CVE-2023-23397.”

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a new open source incident response tool that helps detect signs of malicious activity in Microsoft cloud environments.

Dubbed Untitled Goose Tool, the Python-based utility offers “novel authentication and data gathering methods” to analyze Microsoft Azure, Azure Active Directory, and Microsoft 365 environments, the agency said.

Earlier this year, Microsoft also urged customers to keep their on-premises Exchange servers updated as well as take steps to bolster their networks to mitigate potential threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Microsoft Patch Tuesday, July 2024 Edition

Microsoft Corp. today issued software updates to plug 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.

Russian APT28 Hackers Targeting High-Value Orgs with NTLM Relay Attacks

Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide. The attacks, attributed to an "aggressive" hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with

How Outlook notification sounds can lead to zero-click exploits

A researcher found two Microsoft vulnerabilities which could be combined to achieve zero-click remote code execution.

Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign

The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and

Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability

Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the monikers APT28,

Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws

Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's

Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers

Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard. The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat

Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft

Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines. The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023. Akamai security

APT28 Targets Ukrainian Government Entities with Fake "Windows Update" Emails

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "

Microsoft Patch Tuesday March 2023: Outlook EoP, MOTW Bypass, Excel DoS, HTTP/3 RCE, ICMP RCE, RPC RCE

Hello everyone! This episode will be about Microsoft Patch Tuesday for March 2023, including vulnerabilities that were added between February and March Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239119 As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI […]

From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The

Microsoft Outlook Vulnerability Could Be 2023's 'It' Bug

Snowballing PoC exploits for CVE-2023-23397 and a massive attack surface means almost business user could be a victim.

Threat Source newsletter (March 16, 2023) — A deep dive into Talos' work in Ukraine

The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine.

Microsoft Patch Tuesday, March 2023 Edition

Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.

Microsoft Rolls Out Patches for 80 New Security Flaws — Two Under Active Attack

Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of 80 security flaws, two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in addition to 29 flaws the tech giant fixed in its Chromium-based Edge browser in recent weeks. The

Update now! Microsoft fixes two zero-day bugs

Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: March Tags: 2023 Tags: Microsoft Tags: Adobe Tags: Fortinet Tags: Android Tags: SAP Tags: CVE-2023-23397 Tags: CVE-2023-24880 Tags: CVE-2023-26360 Tags: CVE-2022-41328 This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one. (Read more...) The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.

Microsoft Zero-Day Bugs Allow Security Feature Bypass

Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.

Microsoft Patch Tuesday for March 2023 — Snort rules and prominent vulnerabilities

Microsoft disclosed 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.

Microsoft Mitigates Outlook Elevation of Privilege Vulnerability

May 9, 2023 update: Releases for Microsoft Products has been updated with the release of CVE-2023-29324 - Security Update Guide - Microsoft - Windows MSHTML Platform Security Feature Bypass Vulnerability March 24, 2023 update: Impact Assessment has been updated to a link to Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security Blog.

CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

**According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability?** An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.