On Friday, Microsoft provided insights to assist users in identifying indicators of compromise (IoCs) linked to a recently patched Outlook vulnerability. Known as CVE-2023-23397 (CVSS score: 9.8), this critical vulnerability involves a privilege escalation issue that could be exploited to steal NT Lan Manager (NTLM) hashes and execute a relay attack without any user interaction.
According to Microsoft’s advisory, external attackers can send specially crafted emails that trigger a connection from the victim to an untrusted location under the attacker’s control. This action leaks the Net-NTLMv2 hash of the victim to the untrusted network, which an attacker can then use to relay to another service and authenticate as the victim.
Microsoft addressed this vulnerability in its March 2023 Patch Tuesday updates. However, Russian threat actors had already exploited the flaw in attacks targeting the European government, transportation, energy, and military sectors. The tech giant’s incident response team discovered evidence of potential exploitation dating back to April 2022.
One described attack chain involved a successful Net-NTLMv2 Relay attack that granted the threat actor unauthorized access to an Exchange Server, allowing them to modify mailbox folder permissions for persistent access. The compromised email account was then used to expand the attacker’s access within the affected environment by sending additional malicious messages to other members of the same organization.
Microsoft emphasized the novelty and stealth of exploiting CVE-2023-23397, despite the technique of leveraging NTLMv2 hashes for unauthorized access being well-established. Organizations are advised to review SMBClient event logging, Process Creation events, and another network telemetry to identify potential exploitation via this vulnerability.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently released an open-source incident response tool called Untitled Goose Tool to help detect malicious activity in Microsoft cloud environments. This Python-based utility offers novel authentication and data-gathering methods for analyzing Microsoft Azure, Azure Active Directory, and Microsoft 365 environments.
Earlier this year, Microsoft also encouraged customers to keep their on-premises Exchange servers updated and take steps to strengthen their networks to mitigate potential threats.