Russian APT28 Hackers Exploit Outlook Flaw to Hijack Exchange Accounts

December 4, 2023

Microsoft's Threat Intelligence team has issued an alert about the Russian state-sponsored actor APT28, also known as Fancybear or Strontium, exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information.

The targeted entities include government, energy, transportation, and other critical organizations in the United States, Europe, and the Middle East. APT28 has also been exploiting other vulnerabilities with publicly available exploits in the same attacks, including CVE-2023-38831 in WinRAR and CVE-2021-40444 in Windows MSHTML.

The CVE-2023-23397 is a critical elevation of privilege (EoP) vulnerability in Outlook on Windows, which Microsoft addressed as a zero-day in March 2023. The revelation that APT28 had been exploiting it since April 2022 came with the disclosure of the flaw. The group used specially crafted Outlook notes to steal NTLM hashes, forcing the target devices to authenticate to attacker-controlled SMB shares without requiring user interaction.

By elevating their privileges on the system, which was proven uncomplicated, APT28 was able to perform lateral movement in the victim's environment and change Outlook mailbox permissions to carry out targeted email theft. Despite the release of security updates and mitigation recommendations, the attack surface remained significant, and a bypass of the fix (CVE-2023-29324) that followed in May exacerbated the situation.

Recorded Future warned in June that APT28 likely used the Outlook flaw against key Ukrainian organizations. In October, the French cybersecurity agency (ANSSI) revealed that the Russian hackers had utilized the zero-click attack against their critical networks.

Microsoft's latest warning emphasizes that the GRU hackers continue to leverage CVE-2023-38831 in attacks, indicating that there are still systems that remain vulnerable to the critical EoP flaw. The tech firm also acknowledged the efforts of the Polish Cyber Command Center (DKWOC) in helping detect and stop the attacks. DKWOC also published a post describing APT28 activity that leverages CVE-2023-38831.

The recommended action to take at this time, listed by priority, is to reduce the attack surface across all interfaces and ensure all software products are regularly updated with the latest security patches. Given that APT28 is a highly resourceful and adaptive threat group, this is considered the most effective defense strategy.

Related News

• Russian APT29 Group Exploits WinRAR Vulnerability and Ngrok Feature in Cyberattacks
• DarkCasino: A New APT Threat Leveraging WinRAR Vulnerability
• Russian APT28 Hackers Breach Critical Networks in France
• State-Backed Hackers Exploit WinRAR Vulnerability: A Google TAG Report
• Pro-Russian Cybercriminals Exploit WinRAR Vulnerability in New Phishing Campaign

Latest News

• Fake WordPress Security Alert Used to Distribute Malicious Plugin
• Emerging P2PInfect Botnet MIPS Variant Targets Routers and IoT Devices
• Over 20,000 Microsoft Exchange Servers at Risk Due to Unsupported Software
• CISA Catalogs Exploited Vulnerabilities in ownCloud and Google Chrome
• Apple Rushes to Patch Two Zero-Day Vulnerabilities in Emergency Updates