Microsoft has fixed the zero-day vulnerability found in Outlook with the identifier cve-2023-23397. The vulnerability was being used to attack 15 government, military, energy, and transport organizations from mid-April to December 2022. The hacker group, known as APT28, Strontium, Sednit, Sofacy, or Fancy Bear, sent malicious notes and tasks to Outlook to steal the Hashi through the coordination of NTLM. This forced target devices to authenticate on SMB resources controlled by attackers.
Data that was stolen was used for horizontal movement in casual networks and to change the access rights to Outlook mailbox folders. This used a tactic that allowed the exfiltration of emails from the accounts of certain employees who worked in critical industries.
Microsoft explained that “the attacker can use this vulnerability by sending a specially created email that works automatically when it is extracted and processed by the Outlook client. When connecting to a remote SMB server, a message from the approval of the NTLM is sent, which the attacker can then be transmitted to verify the authenticity In other systems supporting the authentication of NTLM.”
CVE-2023-23397 affects all supported versions of Microsoft Outlook for Windows. However, it does not affect the versions for Android, iOS, or MacOS, in addition to online services such as the Outlook or Microsoft 365 website, as they do not support NTLM authenticity and are thus invulnerable to these attacks.
Microsoft has urged customers to immediately apply the released correction of the vulnerability or add users to the “Protected users” group to Active Directory and block outgoing SMB (TCP port 445) as a temporary measure to minimize the effects of attacks.
To help administrators check whether any users in their Effer Exchange were attacked by this vulnerability of Outlook, Microsoft has released a special PowerShell script. If necessary, administrators can use this script to clean the properties of malicious elements or even for irrevocable removal of elements in Exchange servers when starting in cleaning mode.