Microsoft has patched a critical Outlook zero-day vulnerability (CVE-2023-23397) exploited by a hacking group linked to Russia's military intelligence service GRU to target European organizations. The vulnerability was exploited in attacks to target and breach the networks of fewer than 15 government, military, energy, and transportation organizations between mid-April and December 2022.
The hacking group sent malicious Outlook notes and tasks to steal NTLM hashes via NTLM negotiation requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares. The stolen credentials were used for lateral movement within the victims' networks and to change Outlook mailbox folder permissions, a tactic allowing for email exfiltration for specific accounts.
Microsoft recommends immediately patching CVE-2023-23397 to mitigate this vulnerability to thwart any incoming attacks. The company also advises adding users to the Protected Users group in Active Directory and blocking outbound SMB (TCP port 445) if patching is not immediately possible. Microsoft also released a dedicated PowerShell script to help admins check if any users in their Exchange environment have been targeted using this Outlook vulnerability. As Microsoft explains, "The connection to the remote SMB server sends the user's NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication."