Microsoft shared guidance on Friday to help find indicators of compromise (IOCs) related to the recently patched Outlook vulnerability.
Critical flaw tracked as CVE-2023-23397 (CVSS score: 9.8) could be exploited to steal NT Lan Manager (NTLM) hashes and conduct relay attacks without user interaction is related to the case of privilege escalation.
“An outside attacker could send a specially crafted email to connect a victim to an untrusted location under the attacker’s control,” the company said in an advisory released this month. points out.
“This leaks the victim’s Net-NTLMv2 hash to an untrusted network, allowing the attacker to relay it to another service to authenticate as the victim.
Although this vulnerability was resolved by Microsoft as part of the March 2023 Patch Tuesday update, Russia-based attackers targeted European government, transportation, energy, and military sectors. It wasn’t before weaponizing the attack flaws to attack.
Microsoft’s incident response team says it has found evidence that this vulnerability could be exploited as early as April 2022.
In one attack chain described by the tech giant, a successful Net-NTLMv2 relay attack allowed the attacker to gain unauthorized access to an Exchange Server and modify mailbox folder permissions for permanent access. is ready.
The compromised email account was used to extend the attacker’s access within the compromised environment by sending additional malicious messages targeting other members of the same organization.
“Although leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, exploiting CVE-2023-23397 is novel and stealthy,” Microsoft said.
“Organizations should review SMBClient event logs, process creation events, and other available network telemetry to identify potential exploits with CVE-2023-23397.”
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
The disclosure came as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a new open source incident response tool that helps detect signs of malicious activity in Microsoft cloud environments. rice field.
Called the Untitled Goose Tool, this Python-based utility provides a “novel authentication and data collection method” for analyzing Microsoft Azure, Azure Active Directory, and Microsoft 365 environments.
Earlier this year, Microsoft urged customers to keep their on-premises Exchange servers up to date and take steps to harden their networks and mitigate potential threats.
