A Russian state-sponsored threat actor tracked as APT28 has been exploiting a zero-click Outlook vulnerability in attacks against dozens of organizations in NATO countries, cybersecurity firm Palo Alto Networks reports.
Tracked as CVE-2023-23397, the vulnerability was patched in March 2023, when Microsoft warned that it had already been exploited in the wild.
A bypass for the patch, tracked as CVE-2023-29324, was fixed in May. Rated 'critical severity', CVE-2023-23397 can be triggered via crafted email messages, with exploitation occurring before the email is viewed in the Preview Pane.
In March, Microsoft said that a Russian advanced persistent threat actor had been exploiting the flaw since April 2022, without attributing the attacks to a specific hacking group.
APT28, the cybersecurity firm says, exploited the vulnerability in at least three malicious campaigns, one running between March and December 2022, another in March 2023, and the third in September-October 2023.
The first known instance of an exploit targeting CVE-2023-23397 was emailed on March 18, 2022, three weeks after Russia's invasion of Ukraine, targeting the State Migration Service of the country.
The attacks targeted energy and transportation organizations, as well as ministries of defense, internal affairs, foreign affairs, and economy.
The cybersecurity firm's report comes only days after Microsoft updated its March advisory on the observed attacks to attribute the exploitation of CVE-2023-23397 to APT28.
Also tracked as Fancy Bear, Pawn Storm, Sofacy, Sednit, Cyber Caliphate, Cyber Berkut, BlackEnergy, Voodoo Bear, Strontium, Tsar Team, Sandworm, Fighting Ursa, and Forest Blizzard, APT28 has been blamed for cyberattacks against European countries, for hacking the 2016 US elections, and for numerous other cyberattacks.
This Cyber News was published on www.securityweek.com. Publication date: Fri, 08 Dec 2023 15:43:04 +0000