Microsoft on Friday shared steering to assist clients uncover indicators of compromise (IoCs) related to a just lately patched Outlook vulnerability.
Tracked as CVE-2023-23397 (CVSS rating: 9.8), the critical flaw pertains to a case of privilege escalation that might be exploited to steal NT Lan Supervisor (NTLM) hashes and stage a relay attack with out requiring any person interplay.
„Exterior attackers may ship specifically crafted emails that can trigger a connection from the sufferer to an untrusted location of attackers‘ management,“ the corporate noted in an advisory launched this month.
„This can leak the Net-NTLMv2 hash of the sufferer to the untrusted community which an attacker can then relay to a different service and authenticate because the sufferer.“
The vulnerability was resolved by Microsoft as a part of its Patch Tuesday updates for March 2023, however not earlier than Russia-based risk actors weaponized the flaw in assaults focusing on authorities, transportation, vitality, and army sectors in Europe.
Microsoft’s incident response workforce mentioned it discovered proof of potential exploitation of the shortcoming as early as April 2022.
In a single assault chain described by the tech big, a profitable Internet-NTLMv2 Relay assault enabled the risk actor to achieve unauthorized entry to an Change Server and modify mailbox folder permissions for persistent entry.
The compromised e-mail account was then used to increase the adversary’s entry throughout the compromised atmosphere by sending extra malicious messages to focus on different members of the identical group.
„Whereas leveraging NTLMv2 hashes to achieve unauthorized entry to sources just isn’t a brand new method, the exploitation of CVE-2023-23397 is novel and stealthy,“ Microsoft said.
„Organizations ought to overview SMBClient occasion logging, Course of Creation occasions, and different accessible community telemetry to establish potential exploitation through CVE-2023-23397.“
The disclosure comes because the U.S. Cybersecurity and Infrastructure Safety Company (CISA) released a brand new open supply incident response instrument that helps detect indicators of malicious exercise in Microsoft cloud environments.
Dubbed Untitled Goose Tool, the Python-based utility provides „novel authentication and information gathering strategies“ to research Microsoft Azure, Azure Lively Listing, and Microsoft 365 environments, the company mentioned.
Earlier this 12 months, Microsoft additionally urged customers to maintain their on-premises Change servers up to date in addition to take steps to bolster their networks to mitigate potential threats.