Hacker crime groups actively targeting 9 months old Outlook/Exchange Flaw
Take action: If you still haven't patched your Outlook since April 2023 and you haven't been hacked consider yourself extremely lucky. And your luck is about to run out, so PATCH OUTLOOK NOW.
Learn More
The Fancy Bear threat group, labeled as Forest Blizzard by Microsoft, is exploiting a nine-month-old flaw in Microsoft Outlook to compromise Microsoft Exchange, specifically CVE-2023-23397. Fancy Bear, or Forest Blizzard, is an Advanced Persistent Threat (APT) group linked to the Russian GRU military intelligence agency. It is known for targeting government, energy, transportation, and other industries across various countries.
This vulnerability, an elevation-of-privilege issue, was first reported by Microsoft in March and had been used as a zero-day exploit. The flaw allows attackers to gain control of Exchange mailboxes.
Details of the Vulnerability
CVE-2023-23397 is a critical vulnerability in Microsoft Outlook on Windows, triggered by a specially crafted message. This message contains the PidLidReminderFileParameter extended Messaging Application Programming Interface (MAPI) property, set to a UNC path share on a server controlled by the attacker, leading to a Net-NTLMv2 hash leak.
Attackers' Tactics
Upon accessing a target mailbox, attackers alter its permissions and settings. The Polish Cyber Command observed that these modifications often involve changing the default permissions for the "Default" group from "None" to "Owner," allowing any authenticated user within the organization to read the contents of affected folders. This tactic was particularly used in high-value information targets, enabling unauthorized access through any compromised email account in the Exchange organization using the Exchange Web Services (EWS) protocol.
