As we close out 2023, we at Security Boulevard wanted to highlight the most popular articles of the year.
Following is the latest in our series of the Best of 2023.
Microsoft recently released patches for nearly 80 new security vulnerabilities, including two zero-day exploits, CVE-2023-23397 and CVE-2023-24880.
CVE-2023-23397 is an elevation-of-privilege vulnerability in Microsoft Outlook that could allow an attacker to obtain a victim's password hash.
The vulnerability occurs when an attacker sends a message to the victim with an extended Message Application Program Interface property that contains a Universal Naming Convention path.
When the victim receives the malicious message, the UNC path directs them to a Server Message Block share hosted on a server controlled by the attacker, triggering the vulnerability.
This vulnerability doesn't require any action from the user, and when the victim connects to the attacker's SMB server, their New Technology LAN Manager negotiation message is sent automatically, which the attacker can use for authentication against other systems that support NTLM authentication.
Online services like Microsoft 365 are not susceptible to this attack since they don't support NTLM authentication.
Although Microsoft has published a detailed advisory for CVE-2023-23397, detecting successful exploitation of the vulnerability can be challenging.
Cyborg Security has seen numerous instances online of advisories stating that security teams should look for the Outlook.
Cyborg Security has found that the underlying operating system is actually initiating the SMB connection, not the Outlook.
To detect the vulnerability reliably, security teams should look for SYSTEM establishing SMB and LDAP connections to non-private networks.
This vulnerability affects all currently supported versions of Microsoft Outlook for Windows, but not Outlook for Android, iOS, or macOS. If patching is not immediately possible, Microsoft recommends adding users to the Protected Users group in Active Directory and blocking outbound SMB traffic on TCP port 445.
According to Microsoft, cybercriminals linked to Russian intelligence services have actively exploited this zero-day vulnerability.
CVE-2023-23397 allows a threat actor to send a specially crafted email with a malicious payload that causes the victim's Outlook client to automatically connect to a UNC location under the actor's control to receive the Net-NTLMv2 user's password hash.
To prevent potential attacks, Microsoft recommends that users patch their systems immediately.
The company has also released several mitigations for organizations that cannot patch their systems immediately.
It's important for users and organizations to stay vigilant and keep their systems updated to protect themselves against potential cyber attacks.
Cyborg Security has released premium detection content for our customers to hunt for this exploit and its associated behavior.
This is a Security Bloggers Network syndicated blog from Cyborg Security authored by Cyborg Security.
This Cyber News was published on securityboulevard.com. Publication date: Tue, 26 Dec 2023 13:43:05 +0000