HomeWinBuzzer NewsMicrosoft Exchange Accounts at Risk: Exploitation of Outlook Vulnerability

Microsoft Exchange Accounts at Risk: Exploitation of Outlook Vulnerability

Russian group Fancybear hacked Microsoft Exchange accounts in US, Europe, and Middle East using a patched Windows Outlook flaw (CVE-2023-23397)

-

Microsoft's Threat Intelligence team has recently confirmed a cybersecurity breach involving Russian state-sponsored actor APT28, which is also known as “Fancybear” or “Strontium”. The group has utilized a critical elevation of privilege (EoP) flaw in Outlook on Windows, identified as CVE-2023-23397, to hijack Microsoft Exchange accounts and access sensitive data. The exploit has been targeted at strategic organizations across the United States, Europe, and the Middle East, encompassing government, energy, and transportation sectors.

The Exploit in Detail

CVE-2023-23397 allows attackers to elevate their privileges on a system without requiring user interaction. It has been exploited by APT28 since April 2022 through the use of specially crafted Outlook messages that steal NTLM hash credentials. These messages prompt the recipient's device to authenticate to attacker-controlled SMB shares. Subsequent privilege elevation enables attackers to move laterally within the network and modify Outlook mailbox permissions for the purpose of email theft. Further exacerbating the threat, a bypass for the initial fix identified as CVE-2023-29324 was discovered in May, increasing the potential for ongoing exploitation.

Microsoft had released patches to address these vulnerabilities on the March 2023 . However, additional vulnerabilities have been exploited in concert with the Outlook bug, including CVE-2023-38831 in WinRAR and CVE-2021-40444 in Windows MSHTML.

Continuous Threat and Defense Strategies

Despite the availability of security updates and mitigation guidelines, numerous systems remain susceptible to CVE-2023-23397. The Polish Cyber Command Center (DKWOC) has actively assisted in identifying and halting the exploitation attempts. They have published a detailed account of the APT28 activities linked to the Outlook vulnerability.

In response to the ongoing threats, Microsoft warns that the APT28 group continues to exploit CVE-2023-38831, suggesting that unpatched vulnerabilities are still a concern. It's recommended that organizations prioritize reducing their attack surface and regularly apply security updates to all software products. Proactive defense strategies against advanced persistent threats like APT28 involve persistent vigilance and prompt application of security patches as they become available.

Microsoft has previously gone to war with FancyBear, winning a court approval in 2017 to shut down domains owned by the attack group. However, the move did not succeed in stopping the group for continuing to create global cyber threats. 

Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

Mastodon