As CVE-2023-23397 exploits proliferate, worry mounts
Security experts are warning that a critical Microsoft Outlook exploit is trivial to deploy and “will likely be leveraged imminently by actors for espionage purposes or financial gain” – after Ukrainian cybersecurity authorities disclosed CVE-2023-23397, a critical vulnerability that requires no user interaction to exploit.
As The Stack reported, the critical Outlook exploit affects both 32 and 64-bit versions of Microsoft 365 Apps for Enterprise. Office 2013, 2016, and 2019. It is triggered by sending a malicious email (which doesn’t even need to be opened) that lets attackers capture the Net-NTLMv2 hash (challenge response protocols used for authentication in Windows environments) of the recipient and thereby authenticate as the victim.
Exploits trigger NTLM authentication to an IP address (i.e. outside a trusted intranet) immediately on opening the email, irrespective of whether the user has selected the option to load remote images or not. Sharing a CVE-2023-23397 POC, Dominic Chell, of MDSec, said he had been using similar NTLM exploits in Red Teaming for some years, adding “You can relay from the outside to anything on the perimeter that supports NTLM also.”
Security researcher @KevTheHermit meanwhile found a sample of an email attack in the wild.
Huntress Labs describes the high-level overview of weaponizing CVE-2023-23397 as:
- "A malicious calendar invite or appointment is crafted by a threat actor
- Additional MAPI properties are configured in the custom .MSG file to trigger exploitation
- The calendar invite is emailed to the victim
- Execution is triggered by the “reminder notification” sound for the proposed meeting or event
- SMB connections and NTLM authentication is performed against the specified remote host."
Follow The Stack on LinkedIn
The earliest evidence of exploitation, attributed to Russian military intelligence, dates back to April 2022 against government, logistics, oil/gas, defense, and transportation industries located in Poland, Ukraine, Romania, and Turkey. Mandiant said the organisations were likely “targeted for strategic intelligence collection purposes or as part of preparation for disruptive and destructive cyberattack in and outside of Ukraine.”
Mandiant VP John Hultqvuist said: “This is a proliferation event. PoCs are out there and this vuln will be popular” he added, noting that “We [the security industry] don't see everything. It looks like GRU has gone unnoticed probing critical infrastructure (pipeline/logistics) outside of Ukraine for a year...”
As one security researcher noted: “Lucky for us [Blue Team], it's super easy to spot. 1. svchost spawns rundll32 w/attacker UNC path 2. svchost makes distinct HTTP requests” – and Microsoft has now shipped a detection script (if not yet IOCs), CVE-2023-23397.ps1, which per Redmond, “checks Exchange messaging items (mail, calendar and tasks) to see whether a property is populated with a UNC path. If required, admins can use this script to clean up the property for items that are malicious or even delete the items permanently.”
The security community is doing excellent work sharing insight on this Outlook exploit across formal and informal channels. If you are worried do contact trusted security partners for further insight and support.