Microsoft this week fixed a security vulnerability that remote attackers could exploit to bypass recent patches for a critical zero-day security flaw in Outlook.
This zero-click bypass (CVE-2023-29324) affects all supported versions of Windows and was reported by Akamai security researcher Ben Barnea.
“All Windows versions are affected by this vulnerability. As a result, all Outlook client versions on Windows are exploitable.” Balnea explained.
A zero-day bug in Outlook (CVE-2023-23397), patched in March, is a privilege escalation flaw in the Outlook Windows client that allows attackers to retrieve NTLM hashes without user intervention in an NTLM relay attack. You can steal.
A threat actor can exploit this by sending a message containing an extended MAPI property containing a UNC path to a custom notification sound to force an Outlook client to connect to an SMB share under its control.
Microsoft has addressed this issue by including a MapUrlToZone call to prevent UNC paths from linking to Internet URLs, and replacing the sound with a default reminder if they are.
Outlook Zero-Click Privilege Escalation Bypass
While analyzing CVE-2023-23397 mitigations, Barnea discovered that the URL in the reminder message could be changed to trick the MapUrlToZone check into accepting a remote path as a local path.
This bypasses Microsoft’s patch and allows the Windows Outlook client to connect to the attacker’s server.
“This problem, Complex handling of paths on Windows‘ explains Balnea.
Given Barnea’s findings, Microsoft Warning “To be fully protected, customers should install the CVE-2023-23397 and CVE-2023-29324 updates.”
Although Internet Explorer has been deprecated, the vulnerable MSHTML platform is still used in Internet Explorer mode in some apps and Microsoft Edge via the WebBrowser control.
For this reason, Redmond recommends customers install both this month’s security update and the IE Cumulative Update released to address the CVE-2023-29324 vulnerability to maintain complete protection. doing.
Russian State Hackers Abuse for Data Theft
Between mid-April and mid-April, Russian APT28 nation-state hackers (aka STRONTIUM, Sednit, Sofacy, or Fancy Bear) attacked at least 14 governments, as Microsoft revealed in a private threat analysis report. , military, energy, and transportation attacks. December 2022.
APT28 is allegedly linked to the main directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), Russia’s military intelligence agency.
The attacker used malicious Outlook Notes and Tasks to steal the NTLM hash by forcing the target device to authenticate to an attacker-controlled SMB share.
These stolen credentials were used to move laterally within the victim’s network and to modify Outlook mailbox permissions to extract email for specific accounts.
microsoft published the script While this helps Exchange admins see if their servers have been compromised, we also recommended looking for other indicators of exploitation if the threat actor has cleaned up the tracks.
