Russian APT28 Exploits Outlook Bug to Access Exchange

Cyber Security Threat Summary:
Microsoft issued a warning regarding the exploitation of CVE-2023-23397 by APT 28, a Russian state sponsored group. The targeted entities include government, energy, transportation, and other key organizations in the United States, Europe, and the Middle East. CVE-2023-23397 was first disclosed and patched as a zero-day bug in Microsoft’s March 2023 Patch Tuesday update round. It was described as a critical elevation of privilege vulnerability in Outlook with a CVSS score of 9.8. This critical vulnerability in Microsoft Outlook allowed remote code execution without user interaction, impacting all supported versions of Outlook for Windows. APT 28 leveraged this flaw to compromise Exchange servers and gain unauthorized access to email accounts. Of particular concern is the vulnerability’s trigger mechanism, which executed upon the email’s retrieval by the server, potentially compromising a user’s system before they even previewed the email in the Outlook Preview Pane.

Security Officer Comments:
Notably, Microsoft suspects APT28 might have exploited this vulnerability for nearly a year before it was patched in March 2023. Additionally, Microsoft issued warnings about the possibility of APT28 exploiting other known vulnerabilities, such as CVE-2023-38831 and CVE-2021- 40444. The tech firm also acknowledge collaborative efforts with the Polish Cyber Command in helping detect and stop the attacks.

Suggested Correction(s):
The recommended action to take right now, listed by priority, is the following:

  • Apply the available security updates for CVE-2023-23397 and its bypass CVE-2023-29324.
  • Use this script by Microsoft to check if any Exchange users have been targeted.
  • Reset passwords of compromised users and enable MFA (multi-factor authentication) for all users.
  • Limit SMB traffic by blocking connections to ports 135 and 445 from all inbound IP addresses Disable NTLM on your environment.