Microsoft's Threat Intelligence team has recently confirmed a cybersecurity breach involving Russian state-sponsored actor APT28, which is also known as “Fancybear” or “Strontium”. The group has utilized a critical elevation of privilege (EoP) flaw in Outlook on Windows, identified as CVE-2023-23397, to hijack Microsoft Exchange accounts and access sensitive data. The exploit has been targeted at strategic organizations across the United States, Europe, and the Middle East, encompassing government, energy, and transportation sectors.
The Exploit in Detail
CVE-2023-23397 allows attackers to elevate their privileges on a system without requiring user interaction. It has been exploited by APT28 since April 2022 through the use of specially crafted Outlook messages that steal NTLM hash credentials. These messages prompt the recipient's device to authenticate to attacker-controlled SMB shares. Subsequent privilege elevation enables attackers to move laterally within the network and modify Outlook mailbox permissions for the purpose of email theft. Further exacerbating the threat, a bypass for the initial fix identified as CVE-2023-29324 was discovered in May, increasing the potential for ongoing exploitation.
Microsoft has identified a Russian-based nation-state threat actor tracked as Forest Blizzard (STRONTIUM, APT28, FANCYBEAR) actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers: https://t.co/BzbQpELgWQ
— Microsoft Threat Intelligence (@MsftSecIntel) December 4, 2023
Microsoft had released patches to address these vulnerabilities on the March 2023 Patch Tuesday. However, additional vulnerabilities have been exploited in concert with the Outlook bug, including CVE-2023-38831 in WinRAR and CVE-2021-40444 in Windows MSHTML.
Continuous Threat and Defense Strategies
Despite the availability of security updates and mitigation guidelines, numerous systems remain susceptible to CVE-2023-23397. The Polish Cyber Command Center (DKWOC) has actively assisted in identifying and halting the exploitation attempts. They have published a detailed account of the APT28 activities linked to the Outlook vulnerability.
In response to the ongoing threats, Microsoft warns that the APT28 group continues to exploit CVE-2023-38831, suggesting that unpatched vulnerabilities are still a concern. It's recommended that organizations prioritize reducing their attack surface and regularly apply security updates to all software products. Proactive defense strategies against advanced persistent threats like APT28 involve persistent vigilance and prompt application of security patches as they become available.
Microsoft has previously gone to war with FancyBear, winning a court approval in 2017 to shut down domains owned by the attack group. However, the move did not succeed in stopping the group for continuing to create global cyber threats.