February 15, 2024 at 12:21AM
Microsoft has confirmed active exploitation of a critical security flaw in Exchange Server, allowing attackers to gain privileges and execute operations. It has released patches to address this and other vulnerabilities in its Patch Tuesday updates. Threat actors, including APT28, have a history of exploiting such flaws for NTLM relay attacks.
Based on the meeting notes, the key takeaways are:
1. Microsoft has acknowledged a critical security flaw in Exchange Server, tracked as CVE-2024-21410, which has been actively exploited in the wild. This flaw enables privilege escalation impacting the Exchange Server.
2. The issue involves leaking NTLM credentials, which can then be relayed against the Exchange server to gain privileges and perform operations on the server on the victim’s behalf.
3. Details about the nature of the exploitation and the identity of the threat actors are currently unknown, but Russian state-affiliated hacking crews such as APT28 have a history of exploiting flaws in Microsoft Outlook for NTLM relay attacks.
4. Microsoft has also released updates to address other critical flaws, including CVE-2024-21351 and CVE-2024-21412, which have been actively weaponized in real-world attacks.
5. CVE-2024-21412 enables a bypass of Windows SmartScreen protections and has been attributed to an advanced persistent threat dubbed Water Hydra.
6. Another critical shortcoming affecting Outlook, CVE-2024-21413, has been addressed in Microsoft’s Patch Tuesday update, which could result in remote code execution.
These takeaways provide a clear summary of the security vulnerabilities discussed in the meeting.