A serious elevation of privilege vulnerability in Microsoft Outlook, which was disclosed and patched earlier this week in Microsoft’s latest Patch Tuesday update, has likely been exploited by Russian state-backed threat actors against Ukrainian targets for at least 12 months.
John Hultquist, head of Google Mandiant Intelligence Analysis, said that following its public disclosure, he anticipated broad and rapid adoption of CVE-2023-23397 by multiple nation state and financially motivated actors, probably including ransomware gangs. In the coming days and weeks, he warned, these groups will be engaged in a race to exploit the vulnerability before it’s patched to gain a foothold in target systems. Computer Weekly understands that proof of concept exploits are already circulating.
“This is more evidence that aggressive, disruptive and destructive cyber attacks may not remain constrained to Ukraine and a reminder that we cannot see everything,” he said. “While preparation for attacks do not necessarily indicate they are imminent, the geopolitical situation should give us pause.
“This is also a reminder that we cannot see everything going on with this conflict. These are spies and they have a long track record of successfully evading our notice,” said Hultquist. “This will be a propagation event. This is an excellent tool for nation-state actors and criminals alike who will be on a bonanza in the short term. The race has already begun.”
Exploitation of CVE-2023-23397 begins by sending a specially crafted email to the victim, but because it’s triggered server-side, can be exploited before the email is opened and viewed.
This email will have been crafted with an extended Messaging Application Programming Interface property containing a Universal Naming Convention path to the Server Message Block (SMB) share on a server the attacker controls.
When this email is received, a connection opens to the attacker’s SMB share and the victim’s Windows New Technology LAN Manager authentication protocol sends a negotiation message. This in turn can be seen and used by the attacker to discover the victim’s Net-NTLMv2 hash, extract it, and relay it to other systems in the victim’s environment, authenticating to them as the compromised user without needing to be in possession of their credentials.
In this way, the attacker not only gains a foothold in their target environment, but is able to begin lateral movement. Mandiant considers it a high-risk vulnerability due to the fact it can be used to elevate privileges without user interaction.
It was discovered by the national Computer Emergency Response Team (CERT) of Ukraine, CERT-UA, alongside Microsoft researchers, and according to Mandiant, it has been widely exploited by Russia in the past year to target organisations and critical infrastructure in Ukraine, in the service of intelligence collection and disruptive and destructive attacks on the country.
Mandiant has also seen it being used in attacks on targets in the defence, government, oil and gas, logistics, and transportation sectors in Poland, Romania and Turkey.
Mandiant’s research team has created a new designation – UNC4697 – to track exploitation of the zero-day, which is being widely attributed to APT28, an advanced persistent threat group backed by Russia’s GRU intelligence agency, also known as Fancy Bear or Strontium. This is a high-profile threat actor previously implicated in Russian attacks on the International Olympic Committee and the US presidential elections of 2016 and 2020. It frequently works with GRU actor Sandworm.