Hackers target and exploit Outlook vulnerabilities because it is a widely used email platform, providing a large potential victim pool.
Exploiting vulnerabilities in Outlook allows hackers to:-.
In collaboration with the Polish Cyber Command, Microsoft takes action against the threat actors behind this Russian nation-state group, Forest Blizzard.
CVE-2023-23397 is marked as a critical Outlook vulnerability on Windows, and it's a privilege escalation vulnerability that allows threat actors to exploit a crafted message triggering Net-NTLMv2 hash leak to their controlled server.
This critical privilege escalation vulnerability has affected all the Outlook versions on Windows, but it didn't affect any version of the following platforms:-.
Utilizing Microsoft's TNEF, this technique employs Winmail.
Dat attachments to transmit formatted email messages, including attachments and Outlook-specific features.
Outlook on Windows allows users to set custom reminder sounds, affecting the PidLidReminderFileParameter MAPI property.
Threat actors exploit this, using tools like MFCMAPI to manipulate properties, deceive users, and leak the Net-NTLMv2 hash of the signed-in Windows user.
Initial access: Exchange Servers vulnerable to Net-NTLMv2 Relay attack.
The notable thing is that Azure AD, default for Exchange Online, is not directly susceptible, but a federated identity provider may be at risk.
Here below, we have mentioned all the recommendations provided by the cybersecurity researchers:-.
Make sure to update Microsoft Outlook promptly for mitigation.
Implement recommended security practices to mitigate the threat if immediate patching is not feasible.
Apply the latest security updates for on-premises Microsoft Exchange Server to activate defense-in-depth mitigations.
If suspicious reminder values are detected, use the script to remove messages or properties and initiate incident response as needed.
Reset passwords for targeted users who received suspicious reminders and initiate an incident response for affected accounts.
Mitigate the impact of Net-NTLMv2 Relay attacks with the implementation of multifactor authentication.
Make sure that all the unnecessary services are disabled on Exchange.
Control SMB traffic by blocking ports 135 and 445, allowing only specified IP addresses on the allowlist.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 06 Dec 2023 03:15:23 +0000