Russian hackers exploiting Outlook bug to hijack Exchange accounts

Microsoft's Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information.
The targeted entities include government, energy, transportation, and other key organizations in the United States, Europe, and the Middle East.
The tech giant also highlighted the exploitation of other vulnerabilities with publicly available exploits in the same attacks, including CVE-2023-38831 in WinRAR and CVE-2021-40444 in Windows MSHTML. Outlook flaw exploitation background.
CVE-2023-23397 is a critical elevation of privilege vulnerability in Outlook on Windows, which Microsoft fixed as a zero-day on the March 2023 Path Tuesday.
The disclosure of the flaw came with the revelation that APT28 had been exploiting it since April 2022 via specially crafted Outlook notes designed to steal NTLM hashes, forcing the target devices to authenticate to attacker-controlled SMB shares without requiring user interaction.
By elevating their privileges on the system, which was proven uncomplicated, APT28 performed lateral movement in the victim's environment and changed Outlook mailbox permissions to perform targeted email theft.
Despite the availability of security updates and mitigation recommendations, the attack surface remained significant, and a bypass of the fix that followed in May worsened the situation.
Recorded Future warned in June that APT28 likely leveraged the Outlook flaw against key Ukrainian organizations.
In October, the French cybersecurity agency revealed that the Russian hackers had used the zero-click attack against government entities, businesses, universities, research institutes, and think tanks in France.
Microsoft's latest warning highlights that the GRU hackers still leverage CVE-2023-38831 in attacks, so there are still systems out there that remain vulnerable to the critical EoP flaw.
The tech firm has also noted the work of the Polish Cyber Command Center in helping detect and stop the attacks.
DKWOC also published a post describing APT28 activity that leverages CVE-2023-38831.
Given that APT28 is a highly resourceful and adaptive threat group, the most effective defense strategy is to reduce the attack surface across all interfaces and ensure all software products are regularly updated with the latest security patches.
Microsoft fixes Outlook zero-day used by Russian hackers since April 2022.
Microsoft: SysAid zero-day flaw exploited in Clop ransomware attacks.
Microsoft: State hackers exploiting Confluence zero-day since September.
Hackers use Citrix Bleed flaw in attacks on govt networks worldwide.
Recently patched Citrix NetScaler bug exploited as zero-day since August.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 04 Dec 2023 20:15:12 +0000


Cyber News related to Russian hackers exploiting Outlook bug to hijack Exchange accounts

The ticking time bomb of Microsoft Exchange Server 2013 - This is, of course, a common issue since 2021 or so, due to Exchange Server security woes- however there has been an abnormally high increase in the past few months, making me think there was some kind of Exchange Server zero day perhaps. In my own ...
1 year ago Doublepulsar.com
Russian military hackers target NATO fast reaction corps - Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Researchers from Palo Alto Networks' Unit 42 have observed them exploiting the ...
1 year ago Bleepingcomputer.com CVE-2023-23397 Fancy Bear APT28
Russian hackers exploiting Outlook bug to hijack Exchange accounts - Microsoft's Threat Intelligence team issued a warning earlier today about the Russian state-sponsored actor APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information. The targeted ...
1 year ago Bleepingcomputer.com CVE-2023-23397 CVE-2023-38831 CVE-2021-40444 APT28
Microsoft: Exchange 2016 and 2019 reach end of support in six months - This week's warning comes after Microsoft reminded IT admins in January that Exchange Server 2016 and Exchange Server 2019 will no longer receive technical support starting in October. The Exchange Server Engineering Team also shared guidance for ...
1 month ago Bleepingcomputer.com
Microsoft fixes connection issue affecting Outlook email apps - Microsoft has fixed a known issue causing desktop and mobile email clients to fail to connect when using Outlook.com accounts. More details on how to use app passwords with apps without two-step verification support can be found in this support ...
1 year ago Bleepingcomputer.com
Russian hackers stole Microsoft corporate emails in month-long breach - Microsoft disclosed Friday night that some of its corporate email accounts were breached and data stolen by the Russian state-sponsored hacking group Midnight Blizzard. The company detected the attack on January 12th, with Microsoft initiating its ...
1 year ago Bleepingcomputer.com APT29
Russian hackers stole Microsoft corporate emails in month-long breach - Microsoft disclosed Friday night that some of its corporate email accounts were breached and data stolen by the Russian state-sponsored hacking group Midnight Blizzard. The company detected the attack on January 12th, with Microsoft initiating its ...
1 year ago Bleepingcomputer.com APT29
Microsoft: Outlook clients not syncing over Exchange ActiveSync - Microsoft warned Outlook for Microsoft 365 users that clients might have issues connecting to email servers via Exchange ActiveSync after a January update. Exchange ActiveSync is an Exchange synchronization protocol using HTTP and XML to let users ...
1 year ago Bleepingcomputer.com
Microsoft says button to restore classic Outlook is broken - Since the beginning of the year, it has addressed other Outlook issues, including one that causes classic Outlook to crash when writing, replying to, or forwarding an email, and another one that led to Classic Outlook and Microsoft 365 applications ...
2 months ago Bleepingcomputer.com
Microsoft reveals how hackers breached its Exchange Online accounts - Microsoft confirmed that the Russian Foreign Intelligence Service hacking group, which hacked into its executives' email accounts in November 2023, also breached other organizations as part of this malicious campaign. On January 12, 2024, Microsoft ...
1 year ago Bleepingcomputer.com APT29
Who is the DOGE and X Technician Branden Spikes? – Krebs on Security - Branden Spikes California Russian Association Congress of Russian Americans Constellation of Humanity Cyberinc Department of Government Efficiency Diana Fishman Donald J. Prior to founding Spikes Security, Branden Spikes was married to a native ...
2 months ago Krebsonsecurity.com
Microsoft fixes Outlook Desktop crashes when sending emails - Microsoft has fixed a known issue causing Outlook Desktop clients to crash when sending emails from Outlook.com accounts. These problems were first reported on Microsoft's community website and other social networks by customers saying they were ...
1 year ago Bleepingcomputer.com
Fancy Bear hackers still exploiting Microsoft Exchange flaw - A Russian nation-state group continues to exploit a critical Microsoft vulnerability that was patched eight months ago to gain access to emails within victim organizations' Exchange servers. In March, Microsoft disclosed a zero-day elevation of ...
1 year ago Techtarget.com CVE-2023-23397 CVE-2023-29324 Fancy Bear Silence
Hackers Actively Exploiting Outlook Privilege Escalation Flaw - Hackers target and exploit Outlook vulnerabilities because it is a widely used email platform, providing a large potential victim pool. Exploiting vulnerabilities in Outlook allows hackers to:-. In collaboration with the Polish Cyber Command, ...
1 year ago Cybersecuritynews.com CVE-2023-23397
Five best practices for securing Active Directory service accounts - Windows Active Directory (AD) service accounts are prime cyber-attack targets due to their elevated privileges and automated/continuous access to important systems. To support software-specific functions, service accounts require elevated permissions ...
3 months ago Bleepingcomputer.com
FSB arrests Russian hackers working for Ukrainian cyber forces - The Russian Federal Security Service arrested two individuals believed to have helped Ukrainian forces carry out cyberattacks to disrupt Russian critical infrastructure targets. Both suspects were taken into custody one same day in two different ...
1 year ago Bleepingcomputer.com
Russian Espionage Group Hammers Zero-Click Microsoft Outlook Bug - An espionage group linked to the Russian military continues to use a zero-click vulnerability in Microsoft Outlook in attempts to compromise systems and gather intelligence from government agencies in NATO countries, as well as the United Arab ...
1 year ago Darkreading.com CVE-2023-23397 Fancy Bear APT28
Microsoft seizes domains used to sell fraudulent Outlook accounts - Microsoft's Digital Crimes Unit seized multiple domains used by a Vietnam-based cybercrime group that registered over 750 million fraudulent accounts and raked in millions of dollars by selling them online to other cybercriminals. According to ...
1 year ago Bleepingcomputer.com
Microsoft fixes button that restores classic Outlook client - Since the start of the year, it has fixed other Outlook issues, including one that led to Classic Outlook and Microsoft 365 applications crashing on Windows Server 2016 or Windows Server 2019 systems and another one that triggers classic Outlook ...
2 months ago Bleepingcomputer.com
Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug - Microsoft has identified one of the critical vulnerabilities in Exchange Server that the company disclosed in February's Patch Tuesday update as actually being a zero-day threat that attackers are already actively exploiting. CVE-2024-21410 is an ...
1 year ago Darkreading.com CVE-2024-21410 CVE-2024-2140 CVE-2024-21412 CVE-2024-21351 Fancy Bear
Microsoft Outlook December updates trigger ICS security alerts - Microsoft is investigating an issue that triggers Outlook security alerts when trying to open. ICS calendar files after installing December 2023 Patch Tuesday Office security updates. The company also revealed that the security warning will be ...
1 year ago Bleepingcomputer.com CVE-2023-35636
Russian military hackers target Ukraine with new MASEPIE malware - Ukraine's Computer Emergency Response Team is warning of a new phishing campaign that allowed Russia-linked hackers to deploy previously unseen malware on a network in under one hour. APT28, aka Fancy Bear or Strontium, is a Russian state-sponsored ...
1 year ago Bleepingcomputer.com Fancy Bear APT28
Google links WinRAR exploitation to Russian, Chinese state hackers - Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems. ...
1 year ago Bleepingcomputer.com CVE-2023-38831 CVE-2023-40477 APT28
Akamai discloses zero-click exploit for Microsoft Outlook - While examining a previous bypass mitigation, Akamai Technologies discovered two new Windows vulnerabilities that could allow an attacker to create a zero-click exploit against Microsoft Outlook clients. In a two-part report published Monday, Akamai ...
1 year ago Techtarget.com CVE-2023-35384 CVE-2023-36710 CVE-2023-23397 CVE-2023-29324
CISA: Russian hackers target TeamCity servers since September - CISA and partner cybersecurity agencies and intelligence services warned that the APT29 hacking group linked to Russia's Foreign Intelligence Service has been targeting unpatched TeamCity servers in widespread attacks since September 2023. APT29 is ...
1 year ago Bleepingcomputer.com CVE-2023-42793 Andariel APT29