Best of 2023: Detecting CVE-2023-23397: How to Identify Exploitation of the Latest Microsoft Outlook Vulnerability

As we close out 2023, we at Security Boulevard wanted to highlight the most popular articles of the year.
Following is the latest in our series of the Best of 2023.
Microsoft recently released patches for nearly 80 new security vulnerabilities, including two zero-day exploits, CVE-2023-23397 and CVE-2023-24880.
CVE-2023-23397 is an elevation-of-privilege vulnerability in Microsoft Outlook that could allow an attacker to obtain a victim's password hash.
The vulnerability occurs when an attacker sends a message to the victim with an extended Message Application Program Interface property that contains a Universal Naming Convention path.
When the victim receives the malicious message, the UNC path directs them to a Server Message Block share hosted on a server controlled by the attacker, triggering the vulnerability.
This vulnerability doesn't require any action from the user, and when the victim connects to the attacker's SMB server, their New Technology LAN Manager negotiation message is sent automatically, which the attacker can use for authentication against other systems that support NTLM authentication.
Online services like Microsoft 365 are not susceptible to this attack since they don't support NTLM authentication.
Although Microsoft has published a detailed advisory for CVE-2023-23397, detecting successful exploitation of the vulnerability can be challenging.
Cyborg Security has seen numerous instances online of advisories stating that security teams should look for the Outlook.
Cyborg Security has found that the underlying operating system is actually initiating the SMB connection, not the Outlook.
To detect the vulnerability reliably, security teams should look for SYSTEM establishing SMB and LDAP connections to non-private networks.
This vulnerability affects all currently supported versions of Microsoft Outlook for Windows, but not Outlook for Android, iOS, or macOS. If patching is not immediately possible, Microsoft recommends adding users to the Protected Users group in Active Directory and blocking outbound SMB traffic on TCP port 445.
According to Microsoft, cybercriminals linked to Russian intelligence services have actively exploited this zero-day vulnerability.
CVE-2023-23397 allows a threat actor to send a specially crafted email with a malicious payload that causes the victim's Outlook client to automatically connect to a UNC location under the actor's control to receive the Net-NTLMv2 user's password hash.
To prevent potential attacks, Microsoft recommends that users patch their systems immediately.
The company has also released several mitigations for organizations that cannot patch their systems immediately.
It's important for users and organizations to stay vigilant and keep their systems updated to protect themselves against potential cyber attacks.
Cyborg Security has released premium detection content for our customers to hunt for this exploit and its associated behavior.
This is a Security Bloggers Network syndicated blog from Cyborg Security authored by Cyborg Security.


This Cyber News was published on securityboulevard.com. Publication date: Tue, 26 Dec 2023 13:43:05 +0000


Cyber News related to Best of 2023: Detecting CVE-2023-23397: How to Identify Exploitation of the Latest Microsoft Outlook Vulnerability

Best of 2023: Detecting CVE-2023-23397: How to Identify Exploitation of the Latest Microsoft Outlook Vulnerability - As we close out 2023, we at Security Boulevard wanted to highlight the most popular articles of the year. Following is the latest in our series of the Best of 2023. Microsoft recently released patches for nearly 80 new security vulnerabilities, ...
10 months ago Securityboulevard.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
Akamai discloses zero-click exploit for Microsoft Outlook - While examining a previous bypass mitigation, Akamai Technologies discovered two new Windows vulnerabilities that could allow an attacker to create a zero-click exploit against Microsoft Outlook clients. In a two-part report published Monday, Akamai ...
11 months ago Techtarget.com
Fancy Bear hackers still exploiting Microsoft Exchange flaw - A Russian nation-state group continues to exploit a critical Microsoft vulnerability that was patched eight months ago to gain access to emails within victim organizations' Exchange servers. In March, Microsoft disclosed a zero-day elevation of ...
11 months ago Techtarget.com
Microsoft fixes Outlook Desktop crashes when sending emails - Microsoft has fixed a known issue causing Outlook Desktop clients to crash when sending emails from Outlook.com accounts. These problems were first reported on Microsoft's community website and other social networks by customers saying they were ...
11 months ago Bleepingcomputer.com
Microsoft: Outlook clients not syncing over Exchange ActiveSync - Microsoft warned Outlook for Microsoft 365 users that clients might have issues connecting to email servers via Exchange ActiveSync after a January update. Exchange ActiveSync is an Exchange synchronization protocol using HTTP and XML to let users ...
9 months ago Bleepingcomputer.com
Russian hackers exploiting Outlook bug to hijack Exchange accounts - Microsoft's Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information. The targeted ...
11 months ago Bleepingcomputer.com
Russian Espionage Group Hammers Zero-Click Microsoft Outlook Bug - An espionage group linked to the Russian military continues to use a zero-click vulnerability in Microsoft Outlook in attempts to compromise systems and gather intelligence from government agencies in NATO countries, as well as the United Arab ...
11 months ago Darkreading.com
Microsoft Outlook December updates trigger ICS security alerts - Microsoft is investigating an issue that triggers Outlook security alerts when trying to open. ICS calendar files after installing December 2023 Patch Tuesday Office security updates. The company also revealed that the security warning will be ...
9 months ago Bleepingcomputer.com
Microsoft fixes connection issue affecting Outlook email apps - Microsoft has fixed a known issue causing desktop and mobile email clients to fail to connect when using Outlook.com accounts. More details on how to use app passwords with apps without two-step verification support can be found in this support ...
9 months ago Bleepingcomputer.com
TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities - Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets. WinRAR vulnerabilities provide an entry point to manipulate compressed files, potentially executing malicious code on a victim's ...
11 months ago Gbhackers.com
Russian hackers use old Outlook vulnerability to target Polish orgs - Russian state-backed hacking group Forest Blizzard has been using a known Microsoft Outlook vulnerability to target public and private entities in Poland, Polish Cyber Command has warned. Compromising email accounts and maintaining access to them. ...
11 months ago Helpnetsecurity.com
Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File - Researchers this week disclosed details on two security vulnerabilities in Microsoft Outlook that, when chained together, give attackers a way to execute arbitrary code on affected systems without any user interaction. Unusually, both of them can be ...
11 months ago Darkreading.com
Attackers Exploit Outlook Clients - Microsoft recently reported that CVE-2023-23397, a critical Outlook vulnerability, is currently being exploited in the wild by a Russian-state-sponsored threat actor known as Forrest Blizzard. This vulnerability allowed threat actors to exploit an ...
11 months ago Cybersecuritynews.com
Microsoft: Outlook email sending issues for users with lots of folders - Microsoft has acknowledged a new issue affecting Outlook for Microsoft 365 users and causing email-sending problems for those with too many nested folders. According to Redmond, this is likely related to an older issue concerning mailboxes with more ...
11 months ago Bleepingcomputer.com
CVE-2019-1205 - A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security ...
5 months ago
CVE-2019-1201 - A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security ...
5 months ago
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
11 months ago Microsoft.com
Russian-Backed Hackers Target High-Value US, European Entities - Hackers linked to Russia's military intelligence unit exploited previously patched Microsoft vulnerabilities in a massive phishing campaign against U.S. and European organizations in such vectors as government, aerospace, and finance across North ...
11 months ago Securityboulevard.com
Russian APT Used Zero-Click Outlook Exploit - A Russian state-sponsored threat actor tracked as APT28 has been exploiting a zero-click Outlook vulnerability in attacks against dozens of organizations in NATO countries, cybersecurity firm Palo Alto Networks reports. Tracked as CVE-2023-23397, the ...
11 months ago Securityweek.com
Microsoft Might Be Sharing Your Outlook Emails Without Your Knowledge - Microsoft's data collection practices are under scrutiny, as a recent report suggests the Outlook for Windows app might be sharing more user information than expected. With this app now default on Windows 11, the impact could be widespread. ...
10 months ago Cysecurity.news
Hackers Actively Exploiting Outlook Privilege Escalation Flaw - Hackers target and exploit Outlook vulnerabilities because it is a widely used email platform, providing a large potential victim pool. Exploiting vulnerabilities in Outlook allows hackers to:-. In collaboration with the Polish Cyber Command, ...
11 months ago Cybersecuritynews.com
Russian military hackers target NATO fast reaction corps - Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Researchers from Palo Alto Networks' Unit 42 have observed them exploiting the ...
11 months ago Bleepingcomputer.com
CVE-2022-30426 - There is a stack buffer overflow vulnerability, which could lead to arbitrary code execution in UEFI DXE driver on some Acer products. An attack could exploit this vulnerability to escalate privilege from ring 3 to ring 0, and hijack control flow ...
2 years ago
Microsoft fixes Outlook email sending issue for users with many folders - ​Microsoft has fixed a known issue affecting Outlook for Microsoft 365 users that caused problems sending emails for those with too many nested folders. In August, Microsoft also shared temporary workarounds for known issues triggering Gmail ...
1 month ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)