One day after raising the alert regarding the live exploitation of the Outlook security flaw, Microsoft announced that it had tracked the exploit to a Russian APT that was specifically targeting a small number of businesses in the European defence, energy, transportation, and government sectors.
Indicators of Compromise (IoCs), which can aid defenders in looking for signs of compromise, were not provided by Redmond, nor did it name the actor. The Microsoft Security Response Center (MSRC), in response to the seriousness of the problem, released mitigation advice and provided a CVE-2023-23397 script to aid in the audit and cleanup.
Microsoft stated that updating Microsoft Outlook for Windows is "strongly advised" in order to stay safe. According to the MSRC's updated documentation, "Microsoft is providing documentation and a script at https://aka.ms/CVE-2023-23397ScriptDoc to help you determine if threat actors trying to exploit this vulnerability have targeted your company."
Organizations should examine the script's output to evaluate risk. If tasks, emails, or calendar entries are found that refer to an unrecognised share, they should be scrutinized to see if they are malicious. If items are found, they should be taken out or the parameter should be cleared. It is unlikely that the company was targeted by CVE-2023-23397 if no objects are found.
According to the updated documentation, the CVE-2023-23397 bug affects Microsoft Outlook and causes a severe privilege escalation issue when an attacker transmits a message with an extended MAPI property and a UNC path to an SMB (TCP 445) share on a threat actor-controlled server.
Microsoft warned that "no user interaction is required". Enterprise security teams are encouraged to make the deployment of this update a top priority PRIOR to viewing the email in the Preview Pane.
The user's NTLM negotiation message is sent during the connection to the remote SMB server, and the attacker can use this information to authenticate against other systems that accept NTLM authentication. Online services like Microsoft 365 do not support NTLM authentication and are therefore immune to assault from such messages, according to Redmond.
A busy Patch Tuesday saw the release of patches for 80 flaws in a variety of Windows operating systems and software products, with the Microsoft Outlook zero-day making headlines. Microsoft also cautioned that attackers are actively bypassing its SmartScreen security feature and flagged a second vulnerability, CVE-2023-24880, for immediate attention.
In order to help protect users from phishing and social engineering malware downloads, Microsoft Edge and the Windows operating system both include SmartScreen technology. The company has battled to stop attackers from getting around these features. SmartScreen bypass has been used by the infamous Magniber ransomware operation, leading Microsoft to make several attempts to fix the problem.
Please do not enter any spam link in the comment box.