A Russian nation-state group continues to exploit a critical Microsoft vulnerability that was patched eight months ago to gain access to emails within victim organizations' Exchange servers.
In March, Microsoft disclosed a zero-day elevation of privilege vulnerability, tracked as CVE-2023-23397, that affects Outlook for Windows and received a critical CVSS score of 9.8.
Microsoft published an advisory on March 24 that said evidence of potential exploitation traced back to April 2022.
Microsoft warned that threat actors could exploit the flaw during attacks by sending a specially crafted message that required no user interaction.
CISA added CVE-2023-23397 to its Known Exploited Vulnerabilities catalog, which signals a high-priority threat.
Although Microsoft urged users to update Microsoft Outlook as soon as possible due to exploitation activity, organizations remain vulnerable eight months later.
In an update to the March blog post on Monday, Microsoft revealed that the Russian state-sponsored threat group it tracks as Forest Blizzard, more commonly known as Fancy Bear or APT 28, continues to exploit CVE-2023-23397 against unpatched instances.
The Polish Cyber Command initially detected the attacks and reported the malicious nation-state activity to Microsoft.
The threat group has a history of exploiting zero-day vulnerabilities and using advanced social engineering techniques.
The threat group compromised base-level users to eventually gain access to Exchange accounts that might contain high-value information.
Attacks against Microsoft Exchange servers and Outlook email accounts have been increasing.
In July, the Chinese-backed Storm-0058 threat group compromised Outlook accounts of U.S. government agencies by infiltrating Microsoft's corporate network and stealing a signing key.
During the Silence campaign, the Polish Cyber Command observed two initial access vectors: brute-force attacks and exploitation of CVE-2023-23397.
Exploitation of the Microsoft Exchange flaw allowed the threat group to steal a user's Windows New Technology LAN Manager hash, which is used for password security.
By using the Exchange Web Services protocol, the threat group was able to compromise any email account in the organization.
Polish Cyber Command warned enterprises that Forest Blizzard could still be lurking in an Exchange environment even after losing direct access.
Mitigation and defense recommendations include running a toolkit provided by the agency, as well as verifying Exchange accounts and mailbox delegation settings.
Microsoft's primary recommendation for mitigating the threat is to apply the patch for CVE-2023-23397, along with resetting passwords for any compromised users, disabling unnecessary services in Exchange and using multifactor authentication.
In May, Akamai security researcher Ben Barnea discovered that he could bypass Microsoft's fix by using another critical flaw, tracked as CVE-2023-29324, in an Internet Explorer component.
Microsoft released a security update on May 9 to address the threat vector, but Akamai disagreed with the tech giant over the severity rating for CVE-2023-29324.
This Cyber News was published on www.techtarget.com. Publication date: Mon, 04 Dec 2023 22:43:05 +0000