![]() ![]() If patching is not immediately possible, the company advises adding users to the Protected Users group in Active Directory and blocking outbound SMB (TCP port 445) to limit the impact of CVE-2023-23397. Microsoft strongly recommends users immediately patch CVE-2023-23397 to mitigate the vulnerability and prevent incoming attacks. ![]() Online services like Outlook on the web and Microsoft 365, which do not support NTLM authentication, are also not vulnerable to attacks exploiting this NTLM relay vulnerability. Microsoft explains that the connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.ĬVE-2023-23397 affects all supported versions of Microsoft Outlook for Windows but does not impact Outlook for Android, iOS, or macOS versions. Threat actors can exploit the vulnerability by sending messages with extended MAPI properties containing UNC paths to an SMB share (TCP 445) under their control. It is a critical Outlook elevation of privilege security flaw that can be exploited without user interaction in low-complexity attacks. The vulnerability (CVE-2023-23397) was reported by CERT-UA, Ukraine’s Computer Emergency Response Team. ![]() Microsoft shared this information in a private threat analytics report available to customers with Microsoft 365 Defender, Microsoft Defender for Business, or Microsoft Defender for Endpoint Plan 2 subscriptions. The stolen credentials were then used for lateral movement within the victims’ networks and for changing Outlook mailbox folder permissions, enabling email exfiltration for specific accounts. The hackers sent malicious Outlook notes and tasks to steal NTLM hashes via NTLM negotiation requests, forcing targeted devices to authenticate to attacker-controlled SMB shares. ![]() The hacking group, known under various names such as APT28, STRONTIUM, Sednit, Sofacy, and Fancy Bear, used the security flaw to target European organizations in sectors including government, military, energy, and transportation between April and December 2022. Microsoft has fixed a zero-day vulnerability (CVE-2023-23397) in Outlook that was exploited by a hacking group with ties to Russia’s military intelligence service, GRU. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |