An espionage group linked to the Russian military continues to use a zero-click vulnerability in Microsoft Outlook in attempts to compromise systems and gather intelligence from government agencies in NATO countries, as well as the United Arab Emirates and Jordan in the Middle East.
A spate of recent attacks in September and October by the Fighting Ursa group - better known as Forest Blizzard, APT28, or Fancy Bear - is the third wave to use the dangerous Outlook privilege-escalation vulnerability, tracked as CVE-2023-23397, which allows attackers a way to steal a user's password hash by coercing the victim's Microsoft Outlook client to connect to an attacker-controlled server without user interaction.
The advanced persistent threat has targeted at least 30 organizations in 14 countries using an exploit for the bug, network security firm Palo Alto Networks stated in an analysis published Dec. 7.
The attacks focus on organizations related to energy production and distribution, oil and gas pipelines, and government ministries in charge of defense, the economy, and domestic and foreign affairs.
Targeting NATO, Ukraine, and the Middle East The espionage campaigns targeting the vulnerability happened in three waves: an initial wave using the Outlook bug as a zero-day flaw between March and December 2022, then in March of this year following the patch for the issue, and the most recent campaign, in September and October, according to Palo Alto Networks' analysis.
The targets included one of the nine NATO Rapid Deployable Corps, a unit focused on rapid response to a variety of incidents, including natural disaster, counterterrorism, and war fighting, the firm stated.
Researchers at multiple firms have linked the APT to Unit 26165 of the Russian Federation's military intelligence agency, otherwise known as the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation.
Microsoft worked with the Polish Cyber Command to investigate the attack and develop mitigations against the attackers.
Poland is one of the nations targeted by the Outlook-exploitation campaign.
CVE-2023-23397: No Longer Zero-Day, but Still Valuable First patched in March, the Microsoft Outlook vulnerability allows a specially crafted email to trigger a leak of the users Net-NTLMv2 hashes, and does not require any user interaction.
Using those hashes, the attacker can then authenticate as the victim to other systems that support NTLM authentication.
Microsoft addressed the original vulnerability issue with a patch that essentially prevented the Outlook client from making malicious connections.
Soon thereafter, a researcher from Akamai examining the fix found another issue in a related Internet Explorer component that allowed him to bypass the patch altogether.
Microsoft assigned a separate identifier for the new bug and issued a patch for it in May's Patch Tuesday release.
Palo Alto Networks has urged its customers to patch the vulnerability, but the company has no data on how many - or how few - companies have taken the defensive measure, says Sikorski.
The Outlook vulnerability is not the only one exploited by Fancy Bear.
Microsoft's analysis points out that the group also exploited a vulnerability in the WinRAR archiving utility in early September, and six other software flaws in recent months.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 08 Dec 2023 18:50:04 +0000