Microsoft warns of an Outlook vulnerability that is reportedly being used in targeted attacks. At the March 2023 Patch Microsoft released the update for the zero-day vulnerability tracked as CVE-2023-23397.
Specifically, in a chain of attacks described by Microsoft experts, the vulnerability allowed attackers to gain unauthorized access to an Exchange server and change email folder permissions for persistent access.
What is it: CVE-2023-23397
The CVE-2023-23397 vulnerability is of the Elevation of Privilege type and could allow an attacker to use a specially crafted email to force victim devices to connect to a remote URL to which the Net-NTLMv2 hash of the compromised Windows account is subsequently transmitted.
Microsoft has also published a PowerShell script that allows users to check their Exchange servers for traces of compromise in any attacks they have already suffered. Any “negative” result in running the script does not certify that one’s systems have not been compromised.
Analize all Server Activities
For this reason, Microsoft itself recommends carefully analyzing server activity by scanning the logs of the firewall, proxies, any VPNs or remote desktop protocols (RDP).
At the same time, it is also useful to check for signs of compromise at endpoints in your organization by analyzing Windows event logs and, if available, telemetry from endpoint detection and response (EDR) solutions.
In any case, it is important to install the vulnerability update CVE-2023-23397 as soon as possible. In the same security bulletin Microsoft also suggest taking some risk mitigation measures to prevent exploitation of the vulnerability.
What can you do?
Should a user be compromised, it is important to reset the passwords of all accounts connected to the computers with which the user has interacted and initiate the necessary incident response activities.
- It is important to always enable multi-factor authentication to mitigate the impact of potential Net-NTLMv2 attacks.
- Disable unnecessary services on Exchange.
- Limit SMB traffic by blocking connections on ports 135 and 445 from all incoming IP addresses except those on a controlled list of permissions.