Microsoft zero-day linked to Russian bad actors – report
Microsoft has disclosed an Outlook zero-day (CVE-2023-23397).
According to Mandiant, the zero-day has been used for almost a year to target organisations and critical infrastructure. These targets could facilitate strategic intelligence collection as well as disruptive and destructive attacks inside and outside of Ukraine.
Mandiant has created UNC4697 to track early exploitation of the zero-day, which has been publicly attributed to APT28, a Russian GRU actor. The vulnerability has been in use since April 2022 against government, logistics, oil/gas, defense, and transportation industries located in Poland, Ukraine, Romania, and Turkey.
Mandiant anticipates broad, rapid adoption of the CVE-2023-23397 exploit by multiple nation-state and financially-motivated actors, including both criminal and cyber espionage actors. In the short-term, these actors will race against patching efforts to gain footholds in unpatched systems.
Proof-of-concepts are already widely available for the zero-day which requires no user interaction. In addition to the collection of intelligence for strategic purposes, Mandiant believes this zero-day was used to target critical infrastructure inside and outside of Ukraine in preparation for potential disruptive or destructive cyberattacks. Note that this vulnerability does not affect cloud-based email solutions.
"This is more evidence that aggressive, disruptive and destructive cyberattacks may not remain constrained to Ukraine and a reminder that we cannot see everything," says John Hultquist, Head of Mandiant Intelligence Analysis - Google Cloud.
"While preparation for attacks do not necessarily indicate they are imminent, the geopolitical situation should give us pause.
"This is also a reminder that we cannot see everything going on with this conflict. These are spies and they have a long track record of successfully evading our notice," he says.
"This will be a propagation event. This is an excellent tool for nation-state actors and criminals alike who will be on a bonanza in the short term. The race has already begun."
What You Need to Know
APT28 has been publicly attributed the use of CVE-2023-23397 prior to recent public disclosure. The earliest evidence of exploitation dates back to April 2022 against government, logistics, oil/gas, defense, and transportation industries located in Poland, Ukraine, Romania, and Turkey. These organisations may have been targeted for strategic intelligence collection purposes or as part of preparation for disruptive and destructive cyberattack in and outside of Ukraine.
CVE-2023-23397 is a vulnerability in the Outlook client that requires no user interaction and for which proof of concept exploits are now widely available. Mandiant Threat Intelligence considers this a high-risk vulnerability due to the possibility of privilege escalation with no user interaction or privileges required for exploitation. Following exploitation an attacker could authenticate to multiple services and move laterally. Exploitation of the zero-day is trivial and it will likely be leveraged imminently by actors for espionage purposes or financial gain.
Adversary Operations has created UNC4697 to track exploitation of the zero-day which has been publicly attributed to APT28.
APT28 is a Russian military intelligence (GRU) actor that regularly carries out cyber espionage and information operations within and outside of Ukraine. APT28 frequently collaborates with the GRU actor Sandworm, who is responsible for disruptive and destructive attacks.
How Does it Work?
An attacker could exploit this vulnerability to escalate privileges. An attacker would need to specially craft a malicious email with an extended MAPI property that contains a UNC path to SMB (TCP 445) share on an attacker controlled server. Once the email is received, a connection is opened to the SMB share and the users NTLM negotiation message is sent. This allows the attacker to discover the users Net-NTLMv2 hash. The attacker can then relay the NTLM hash to authenticate to other systems in the victims environment. This is commonly referred to as a Pass the Hash (PtH) attack. The connection to the SMB share is triggered when the Outlook client receives and processes the email allowing for exploitation to occur prior to the victim viewing the email.