On Friday, Microsoft released instructions to assist clients in identifying signs of potential security breaches linked to a recently fixed weakness in Outlook.
The critical vulnerability, identified as CVE-2023-23397 and rated with a CVSS score of 9.8, pertains to an instance of privilege escalation that can be abused to pilfer NT Lan Manager (NTLM) hashes as well as initiate a relay attack. No user interaction is necessary to carry out this exploit.
The company issued a warning this month stating that attackers from outside may send emails designed in a particular way that trigger the victim's connection to an untrusted location under the control of the attackers.
The above passage means that if someone leaks the victim's Net-NTLMv2 hash to an untrusted network, a hacker could potentially transmit it to another source and falsely authenticate themselves as the victim.
Microsoft resolved the vulnerability in March 2023 as part of its regular Patch Tuesday updates. However, prior to this fix, Russian threat actors exploited the flaw in attacks aimed at government, transportation, energy, and military sectors across Europe.
According to Microsoft's team responsible for handling incidents, they discovered signs of possible misuse of the weakness as early as April 2022.
The tech company explained a series of attacks where an unauthorized person gained access to an Exchange Server through a successful Net-NTLMv2 Relay attack, allowing them to modify mailbox folder permissions for long-term access.
The email account that had been breached was utilized to broaden the attacker's reach within the targeted system through the dispatching of deceitful messages aimed at other individuals in the organization.
According to Microsoft, the utilization of NTLMv2 hashes for acquiring entry to resources without authorization is not an original tactic. However, they stated that the exploitation of CVE-2023-23397 is unique and unobtrusive.
To detect the possibility of exploitation through CVE-2023-23397, organizations need to examine event logging of SMBClient process creation and other relevant network data.
The revelation has been made alongside the introduction of a novel open-source tool for incident response by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which is intended to identify indications of malevolent behavior in Microsoft cloud settings.
According to the agency, a new utility named Untitled Goose Tool, which is based on Python programming language, provides innovative techniques for authenticating and collecting data. This tool can be used for scrutinizing Microsoft Azure Active Directory and Microsoft 365 environments.
At the beginning of this year, Microsoft advised its customers to keep their Exchange servers that are located within their organization up-to-date and also take appropriate measures to strengthen their computer systems to minimize possible security risks.