A severe elevation of privilege vulnerability in Microsoft Outlook, which was disclosed and patched earlier this week in Microsoft’s latest Patch Tuesday updatewas likely operated by Russian state-backed threat actors against Ukrainian targets for at least 12 months.
John Hultquist, Chief Google Mandiant Intelligence Analytics, said that following its public disclosure, it anticipates wide and rapid adoption of CVE-2023-23397 by several nation-states and financially motivated actors, likely including ransomware gangs. In the days and weeks to come, he warned, these groups will be engaged in a race to exploit the vulnerability before it is patched to gain a foothold in target systems. Computer Weekly understands that proof-of-concept exploits are already circulating.
“This is further proof that aggressive, disruptive and destructive cyberattacks may not remain confined to Ukraine and a reminder that we cannot see everything,” he said. “Although the preparation of attacks does not necessarily indicate that they are imminent, the geopolitical situation should give us pause.
“It’s also a reminder that we can’t see everything with this conflict. They are spies and they have a long history of successful escapes,” Hultquist said. “It will be a spread event. This is a great tool for nation-state actors and criminals who will be on a short-term boon. The race has already started.
Operation of CVE-2023-23397 starts by sending a specially crafted email to the victim, but since it is triggered on the server side, it can be exploited before the email is opened and viewed.
This email will have been crafted with an extended messaging application programming interface property containing a universal naming convention path to the Server Message Block (SMB) share on a server controlled by the attacker .
When this email is received, a connection opens to the attacker’s SMB share and the victim’s Windows New Technology LAN Manager authentication protocol sends a negotiate message. This in turn can be seen and used by the attacker to discover the victim’s Net-NTLMv2 hash, extract it, and relay it to other systems in the victim’s environment, authenticating with them as a compromised user without needing to be in possession of their credentials. .
In this way, the attacker not only gains a foothold in his target environment, but is also able to initiate lateral movement. Mandiant considers this a high-risk vulnerability because it can be used to elevate privileges without user interaction.
It was discovered by the National Computer Emergency Response Team (CERT) of Ukraine, AU-CERTalongside Microsoft researchers, and according to Mandiant, it has been widely exploited by Russia over the past year to target critical organizations and infrastructure in Ukraine, in the service of intelligence gathering and disruptive attacks and destructive against the country.
Mandiant has also seen it used in attacks against targets in the defence, government, oil and gas, logistics and transport sectors in Poland, Romania and Turkey.
Mandiant’s research team has created a new designation – UNC4697 – to track the zero-day exploit, which is widely attributed to APT28, an advanced persistent threat group backed by the Russian intelligence agency GRU, also known as the name of fancy bear or Strontium. He is a high-level threat actor previously implicated in Russian attacks on the International Olympic Committee and the 2016 and 2020 US presidential elections. He often works with GRU Sandworm Actor.