Microsoft Shares Tips on Detecting Outlook Zero-day Exploitation
Microsoft today published a detailed guide aiming to help customers discover signs of compromise via exploitation of a recently patched Outlook zero-day vulnerability.
Tracked as CVE-2023-23397, this privilege escalation security flaw in the Outlook client for Windows enables attackers to steal NTLM hashes without user interaction in NTLM-relay zero-click attacks.
The threat actors can exploit it by sending messages with extended MAPI properties containing UNC paths to attacker-controlled SMB shares.
In today's report, Microsoft shared multiple techniques to discover if credentials were compromised via CVE-2023-23397 exploits, as well as mitigation measures to defend against future attacks.
While the company also released a script to help admins check if any Exchange users have been targeted, Redmond said that defenders have to look for other signs of exploitation if the threat actors have cleaned up their traces by deleting any incriminating messages.
Alternate sources of indicators of compromise linked to this Outlook flaw include telemetry extracted from multiple sources such as firewall, proxy, VPN, and RDP Gateway logs, as well as Azure Active Directory sign-in logs for Exchange Online users, and IIS Logs for Exchange Server.
Other places security teams should check for signs of compromise are forensic endpoint data like Windows event logs and endpoint telemetry from endpoint detection and response (EDR) solutions (if available).
In compromised environments, post-exploitation indicators are linked to the targeting of Exchange EWS/OWA users and malicious mailbox folder permission changes allowing the attackers to gain persistent access to the victims' emails.
CVE-2023-23397 mitigation measures
Microsoft also shared guidance on how to block future attacks targeting this vulnerability, urging organizations to install the recently released Outlook security update.
"To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication," the Microsoft Incident Response team said.
Other measures at-risk organizations can take to mitigate such attacks and post-exploitation behavior include:
- For organizations leveraging on-premises Microsoft Exchange Server, apply the latest security updates to ensure that defense-in-depth mitigations are active.
- Where suspicious or malicious reminder values are observed, make sure to use the script to remove either the messages or just the properties, and consider initiating incident response activities.
- For any targeted or compromised user, reset the passwords of any account logged in to computers of which the user received suspicious reminders and initiate incident response activities.
- Use multifactor authentication to mitigate the impact of potential Net-NTLMv2 Relay attacks. NOTE: This will not prevent a threat actor from leaking credentials and cracking them offline.
- Disable unnecessary services on Exchange.
- Limit SMB traffic by blocking connections on ports 135 and 445 from all inbound IP addresses except those on a controlled allowlist.
- Disable NTLM in your environment.
Exploited by Russian military hackers
CVE-2023-23397 has been under active exploitation since at least April 2022 and was used to breach the networks of at least 15 government, military, energy, and transportation organizations in Europe.
While Microsoft publicly linked these attacks to "a Russia-based threat actor," Redmond also said in a private threat analytics report seen by BleepingComputer that it believes the hacking group is APT28 (also tracked as STRONTIUM, Sednit, Sofacy, and Fancy Bear).
This threat actor has been previously linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), Russia's military intelligence service.
The credentials they stole in these attacks were used for lateral movement and to change Outlook mailbox folder permissions, a tactic that allowed them to exfiltrate emails from specific accounts.
"While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy," the Microsoft Incident Response team added.
"Even when users reported suspicious reminders on tasks, initial security review of the messages, tasks, or calendar items involved did not result in detection of the malicious activity. Furthermore, the lack of any required user interaction contributes to the unique nature of this vulnerability."