Microsoft has released a security guide for its customers to help them quickly identify the indicators of compromise (IOC) associated with the recently corrected Outlook vulnerability. The critical vulnerability, evaluated as cve-2023-23397, is associated with an increase in privileges that can be used to steal NT Lan Manager (NTLM) and conduct a retransmission attack without user intervention.
According to Microsoft, external attackers can send specially crafted emails that lead the victim to connect to an unreliable location controlled by the attackers. The vulnerability can lead to a leakage of the NET-NTLMV2 hash of victims in an unreliable network, which the attacker can then use to authenticate from the victim’s face on other services. The vulnerability was eliminated by Microsoft in March 2023. However, some cybercriminals, allegedly related to Russia, managed to take advantage of this vulnerability in their attacks on the government, transport, energy, and military sectors of Europe.
In one of the attacks described by the company’s specialists, a successful Net-NTLMV2 Relay attack allowed the attacker to gain unauthorized access to the Exchange server and change the resolution of the mailbox folder for constant access. Then, the compromised accounting record of e-mail was used to expand the access of the attacker in the compromised environment by sending additional malicious messages to other members of the same organization.
Microsoft advises organizations to view events of SMBCLIENT, process creation, and other available network telemetry to identify the potential use of CVE-2023-23397. Although NTLMV2 hash hashs to obtain unauthorized access to resources is not a new method, the operation of the CVE-2023-23397 is new and weakly.
The disclosure of information occurred after the American Cybersecurity and CISA security agency released a new open source incident instrument that helps detect signs of harmful activity in Microsoft clouds. Earlier this year, Microsoft also urged customers to independently update their local Exchange servers to the current version of the software and take steps to strengthen their networks to reduce potential threats.