Microsoft has released a detailed guide to help organizations detect the signs of abuse of a recently patched Outlook zero-day vulnerability said to have been exploited in attacks by Russia-linked state-sponsored hackers.
Tracked as CVE-2023-23397, the vulnerability is an elevation of privilege issue that allows a remote attacker to compromise the vulnerable system.
“A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak,” Microsoft explained in its advisory. “It is exploited when a threat actor delivers a specially crafted message to a user. This message includes the PidLidReminderFileParameter extended Messaging Application Programming Interface (MAPI) property, which must be set to a Universal Naming Convention (UNC) path share on a threat actor-controlled server (via Server message block (SMB)/transmission control protocol (TCP) port 445).”
“In exploitation of CVE-2023-23397, threat actors can specify the value for the PidLidReminderFileParameter in specially crafted messages to trigger a Net-NTLMv2 hash leak to threat actor-controlled servers.”
The flaw is said to have been exploited by the Russian state-backed hacker group Strontium (aka APT28, Fancy Bear) in attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.
Microsoft says that all versions of Outlook for Windows are impacted. Versions for Android, iOS, Mac, and users who use Outlook on the web (OWA) without using the Outlook client are not affected.
Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) released a new open source incident response tool named “Untitled Goose Tool” that helps detect signs of malicious activity in Microsoft Azure, Azure Active Directory, and Microsoft 365 cloud environments.
