Fancy Bear hackers still exploiting Microsoft Exchange flaw

A Russian nation-state group continues to exploit a critical Microsoft vulnerability that was patched eight months ago to gain access to emails within victim organizations' Exchange servers.
In March, Microsoft disclosed a zero-day elevation of privilege vulnerability, tracked as CVE-2023-23397, that affects Outlook for Windows and received a critical CVSS score of 9.8.
Microsoft published an advisory on March 24 that said evidence of potential exploitation traced back to April 2022.
Microsoft warned that threat actors could exploit the flaw during attacks by sending a specially crafted message that required no user interaction.
CISA added CVE-2023-23397 to its Known Exploited Vulnerabilities catalog, which signals a high-priority threat.
Although Microsoft urged users to update Microsoft Outlook as soon as possible due to exploitation activity, organizations remain vulnerable eight months later.
In an update to the March blog post on Monday, Microsoft revealed that the Russian state-sponsored threat group it tracks as Forest Blizzard, more commonly known as Fancy Bear or APT 28, continues to exploit CVE-2023-23397 against unpatched instances.
The Polish Cyber Command initially detected the attacks and reported the malicious nation-state activity to Microsoft.
The threat group has a history of exploiting zero-day vulnerabilities and using advanced social engineering techniques.
The threat group compromised base-level users to eventually gain access to Exchange accounts that might contain high-value information.
Attacks against Microsoft Exchange servers and Outlook email accounts have been increasing.
In July, the Chinese-backed Storm-0058 threat group compromised Outlook accounts of U.S. government agencies by infiltrating Microsoft's corporate network and stealing a signing key.
During the Silence campaign, the Polish Cyber Command observed two initial access vectors: brute-force attacks and exploitation of CVE-2023-23397.
Exploitation of the Microsoft Exchange flaw allowed the threat group to steal a user's Windows New Technology LAN Manager hash, which is used for password security.
By using the Exchange Web Services protocol, the threat group was able to compromise any email account in the organization.
Polish Cyber Command warned enterprises that Forest Blizzard could still be lurking in an Exchange environment even after losing direct access.
Mitigation and defense recommendations include running a toolkit provided by the agency, as well as verifying Exchange accounts and mailbox delegation settings.
Microsoft's primary recommendation for mitigating the threat is to apply the patch for CVE-2023-23397, along with resetting passwords for any compromised users, disabling unnecessary services in Exchange and using multifactor authentication.
In May, Akamai security researcher Ben Barnea discovered that he could bypass Microsoft's fix by using another critical flaw, tracked as CVE-2023-29324, in an Internet Explorer component.
Microsoft released a security update on May 9 to address the threat vector, but Akamai disagreed with the tech giant over the severity rating for CVE-2023-29324.


This Cyber News was published on www.techtarget.com. Publication date: Mon, 04 Dec 2023 22:43:05 +0000


Cyber News related to Fancy Bear hackers still exploiting Microsoft Exchange flaw

Russian-Backed Hackers Target High-Value US, European Entities - Hackers linked to Russia's military intelligence unit exploited previously patched Microsoft vulnerabilities in a massive phishing campaign against U.S. and European organizations in such vectors as government, aerospace, and finance across North ...
11 months ago Securityboulevard.com
The ticking time bomb of Microsoft Exchange Server 2013 - This is, of course, a common issue since 2021 or so, due to Exchange Server security woes- however there has been an abnormally high increase in the past few months, making me think there was some kind of Exchange Server zero day perhaps. In my own ...
11 months ago Doublepulsar.com
Fancy Bear hackers still exploiting Microsoft Exchange flaw - A Russian nation-state group continues to exploit a critical Microsoft vulnerability that was patched eight months ago to gain access to emails within victim organizations' Exchange servers. In March, Microsoft disclosed a zero-day elevation of ...
1 year ago Techtarget.com
Fancy Bear goes phishing in US, European high-value networks The Register - Fancy Bear, the Kremlin's cyber-spy crew, has been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets - like government, defense, and aerospace agencies in the US and Europe - since March, according ...
1 year ago Go.theregister.com
Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug - Microsoft has identified one of the critical vulnerabilities in Exchange Server that the company disclosed in February's Patch Tuesday update as actually being a zero-day threat that attackers are already actively exploiting. CVE-2024-21410 is an ...
9 months ago Darkreading.com
Feds go Fancy Bear hunting, take down Russia's GRU botnet The Register - The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets. Moobot ...
9 months ago Go.theregister.com
Russian hackers exploiting Outlook bug to hijack Exchange accounts - Microsoft's Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information. The targeted ...
1 year ago Bleepingcomputer.com
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
10 months ago Bleepingcomputer.com
Microsoft Incident Response lessons on preventing cloud identity compromise - Microsoft Incident Response is often engaged in cases where organizations have lost control of their Microsoft Entra ID tenant, due to a combination of misconfiguration, administrative oversight, exclusions to security policies, or insufficient ...
11 months ago Microsoft.com
Russian APT exploiting JetBrains TeamCity vulnerability - A known JetBrains TeamCity vulnerability is now being exploited by two nation-state threat groups as some organizations have yet to patch the critical flaw. CISA issued a joint government advisory Wednesday to warn users that a Russian advanced ...
11 months ago Techtarget.com
Critical Apache Log4j2 flaw still threatens global finance - Critical Apache Log4j2 flaw still threatens global finance. CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise ...
6 months ago Securityaffairs.com
Over 20,000 vulnerable Microsoft Exchange servers exposed to attacks - Tens of thousands of Microsoft Exchange email servers in Europe, the U.S., and Asia exposed on the public internet are vulnerable to remote code execution flaws. The mail systems run a software version that is currently unsupported and no longer ...
1 year ago Bleepingcomputer.com
Microsoft Exchange 2019 has reached end of mainstream support - Microsoft announced the end of mainstream support for its Exchange Server 2019 on-premises mail server software on January 9, 2023. Starting today, the company says it will no longer accept requests for bug fixes and Design Change Requests, but it ...
10 months ago Bleepingcomputer.com
Customer compliance and security during the post-quantum cryptographic migration | AWS Security Blog - For example, using the s2n-tls client built with AWS-LC (which supports the quantum-resistant KEMs), you could try connecting to a Secrets Manager endpoint by using a post-quantum TLS policy (for example, PQ-TLS-1-2-2023-12-15) and observe the PQ ...
2 months ago Aws.amazon.com
CISA orders agencies impacted by Microsoft hack to mitigate risks - CISA has issued a new emergency directive ordering U.S. federal agencies to address risks resulting from the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group. It requires them to investigate potentially ...
7 months ago Bleepingcomputer.com
Russian military hackers target NATO fast reaction corps - Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Researchers from Palo Alto Networks' Unit 42 have observed them exploiting the ...
11 months ago Bleepingcomputer.com
Over 28,500 Exchange servers vulnerable to actively exploited bug - Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting. Microsoft addressed the issue on Fenruary 13, when it had already been ...
9 months ago Bleepingcomputer.com
Russian hackers stole Microsoft corporate emails in month-long breach - Microsoft disclosed Friday night that some of its corporate email accounts were breached and data stolen by the Russian state-sponsored hacking group Midnight Blizzard. The company detected the attack on January 12th, with Microsoft initiating its ...
10 months ago Bleepingcomputer.com
Russian hackers stole Microsoft corporate emails in month-long breach - Microsoft disclosed Friday night that some of its corporate email accounts were breached and data stolen by the Russian state-sponsored hacking group Midnight Blizzard. The company detected the attack on January 12th, with Microsoft initiating its ...
10 months ago Bleepingcomputer.com
Russian Spies Hacked Microsoft Email Systems & Accessed Code - Microsoft has disclosed that Russian government hackers, identified as the group Midnight Blizzard, have successfully infiltrated its corporate email systems and stolen source codes. Microsoft's announcement on March 8, 2024, detailed that Midnight ...
8 months ago Cybersecuritynews.com
Thousands of Outdated Microsoft Exchange Servers are Susceptible to Cyber Attacks - A large number of Microsoft Exchange email servers in Europe, the United States, and Asia are currently vulnerable to remote code execution flaws due to their public internet exposure. These servers are running out-of-date software that is no longer ...
1 year ago Cysecurity.news
Google links WinRAR exploitation to Russian, Chinese state hackers - Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems. ...
1 year ago Bleepingcomputer.com
Russian Espionage Group Hammers Zero-Click Microsoft Outlook Bug - An espionage group linked to the Russian military continues to use a zero-click vulnerability in Microsoft Outlook in attempts to compromise systems and gather intelligence from government agencies in NATO countries, as well as the United Arab ...
11 months ago Darkreading.com
Critical unauthenticated RCE flaw in OpenSSH server - MUST READ. Critical unauthenticated remote code execution flaw in OpenSSH server. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities ...
5 months ago Securityaffairs.com
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
1 year ago Hackread.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)