Microsoft has published a detailed guide to help users detect signs of compromise caused by a recently patched Outlook zero-day vulnerability.
The CVE-2023-23397 flaw is a privilege escalation security vulnerability in the Outlook client for Windows that can enable attackers to steal NTLM hashes. Attackers can exploit the vulnerability by sending messages containing UNC paths to SMB shares that they control. The flaw has been under active exploitation since at least April 2022 and was used to breach the networks of at least 15 organisations in Europe, including government, military, energy, and transportation organisations.
Microsoft has provided several techniques to help users determine if credentials have been compromised due to the exploitation of the CVE-2023-23397 flaw.
Microsoft has also issued guidelines to block future attacks aimed at exploiting the vulnerability, urging organisations to install the recently released Outlook security update.
Other measures that organisations can take to mitigate the post-exploitation behaviour of attackers include applying the latest security updates to on-premises Microsoft Exchange Servers, resetting passwords of any accounts logged in to computers of which the user received suspicious reminders, and initiating incident response activities.
In addition to telemetry extracted from sources such as firewall, proxy, VPN, and RDP Gateway logs, Microsoft also recommends checking forensic endpoint data like Windows event logs and endpoint telemetry from endpoint detection and response (EDR) solutions.
Microsoft has also suggested limiting SMB traffic by blocking connections on ports 135 and 445 from all inbound IP addresses except those on a controlled allowlist, disabling unnecessary services on Exchange, and disabling NTLM in the environment.
While the attacks have been linked to a Russian-based threat actor, Microsoft has identified the group as APT28, also known as STRONTIUM, Sednit, Sofacy, and Fancy Bear, which has previously been linked to Russia’s military intelligence service.
