Microsoft Outlook vulnerability: proof of concept available, fear of attacks
A critical vulnerability in Outlook was already being attacked when Microsoft sealed it with the March patchday updates. A short time later, IT researchers published a proof-of-concept exploit. Cyber criminals can use it for attacks. It is therefore high time to apply the available updates.
Outlook: vulnerability allows privilege escalation
The description of the vulnerability on patch day was: Attackers could obtain a user’s Net-NTLMv2 hash by exploiting the CVE-2023-23397 vulnerability. This can be used in an NTLM relay attack against another service to authenticate itself as the victim. In order to exploit the vulnerability, it is sufficient to send a specially prepared e-mail. The automatically throws the error when the Outlook client retrieves and processes it. The error occurs before the email is displayed in the preview window. An e-mail manipulated in this way can trigger a connection from the victim to an attacker’s server, through which the victim’s Net-NTLMv2 hash reaches the attackers.
Microsoft had provided a Powershell script that administrators could use to scan Exchange servers for potentially malicious messages that abuse the vulnerability. Microsoft leaves it to the admins to judge whether the messages actually have malicious content or not.
MDSec IT researchers took a closer look at the script and found that it was specifically looking for the property
PidLidReminderFileParameter searches in news. They then used the information to derive the proof-of-concept exploit that demonstrates the vulnerability. This makes it easier for cybercriminals to create malicious emails and attack potential victims. The probability that the vulnerability will be misused in cyber attacks has increased significantly.
Gap abused for a long time
The IT security company deepinstinct, on the other hand, has observed several attacks that have abused this vulnerability. “According to findings of Microsoft Threat Intelligence, a Russia-based threat actor used the program in attacks that targeted and attacked the networks of several government, military, energy and transport companies in Europe between April and December 2022,” the IT researchers out.
After attacks on Romanian targets in April-May 2022, Poland in September-November 2022, Jordan in October 2022, Ukraine in early November and December 2022 and Turkey towards the end of December 2022, deepinstinct’s IT researchers may have evidence of earlier attacks found the gap. They write that attacks discovered by Palo Alto Networks in 2020 came from Iranian actors and probably also abused this vulnerability. It is therefore not only to be assumed that Russian attackers will attack.
IT managers should apply the updates from Microsoft quickly if they have not already done so. The risk of becoming a victim of a cyber attack has increased significantly with the availability of the PoC.