December 4, 2023 at 03:19PM
Microsoft warns of APT28 exploiting a critical Outlook flaw, CVE-2023-23397, to hijack Exchange accounts, targeting governmental and key sectors in the US, Europe, and the Middle East. The attacks, using various vulnerabilities, have been ongoing since April 2022. Urgent mitigation includes applying security updates and enabling MFA.
Meeting Takeaways:
1. Warning Issued: Microsoft’s Threat Intelligence team warned about Russian state-sponsored actor APT28 exploiting a vulnerability (CVE-2023-23397) in Microsoft Outlook to hijack accounts and steal information.
2. Targeted Organizations: The attackers are targeting government, energy, transportation, and other essential organizations in the US, Europe, and the Middle East.
3. Additional Exploits: APT28 is also exploiting other vulnerabilities with available exploits, specifically CVE-2023-38831 in WinRAR and CVE-2021-40444 in Windows MSHTML.
4. CVE-2023-23397 Details: The flaw, fixed in March 2023 Patch Tuesday, is an elevation of privilege vulnerability that APT28 exploited since April 2022, allowing them to move laterally and modify Outlook mailbox permissions for email theft.
5. Attack Persistence: Despite patches and mitigation strategies, the attacks persist, with a fix bypass (CVE-2023-29324) identified in May increasing the risk.
6. Previous Attacks: Recorded Future and ANSSI reported previous APT28 attacks using this exploit against Ukrainian organizations and French networks.
7. Ongoing Attacks: Microsoft confirms attacks using CVE-2023-38831 continue, indicating vulnerable systems remain.
8. Polish Cyber Command Center Involvement: DKWOC is actively helping detect and prevent APT28 attacks and has shared insights.
9. Action Steps Recommended:
– Apply security patches for CVE-2023-23397 and its bypass CVE-2023-29324.
– Use Microsoft’s provided script to identify targeted Exchange users.
– Reset passwords for compromised accounts and enable MFA for all users.
– Limit SMB traffic by blocking ports 135 and 445 from inbound IPs.
– Disable NTLM in the environment.
10. Defense Strategy: To counteract APT28’s capabilities, it’s imperative to minimize the attack surface on all interfaces and ensure all software is up-to-date with security patches.