December 5, 2023 at 03:12AM
Microsoft identified activity by Russian-supported threat group Forest Blizzard (also known as APT28 and other names) exploiting a severe Outlook security flaw, CVE-2023-23397, to access email accounts on Exchange servers. The group targeted various sectors and used the bug to maintain unauthorized mailbox access. Microsoft patched the bug in March 2023.
Meeting Takeaways:
1. A critical security flaw (CVE-2023-23397) in Microsoft Outlook’s email service was exploited by Kremlin-backed hackers, identified as Forest Blizzard (and by other names such as APT28, BlueDelta, Fancy Bear, FROZENLAKE, Iron Twilight, Sednit, Sofacy), to gain unauthorized access to Exchange servers’ accounts.
2. The flaw, a privilege escalation bug allowing access to a user’s Net-NTLMv2 hash, could lead to a relay attack to authenticate as the user. This vulnerability was patched by Microsoft in March 2023.
3. The Polish Cyber Command reported that hackers aimed to access mailboxes of both public and private entities in the country, modifying folder permissions to maintain unauthorized mailbox access even after direct access was lost.
4. Microsoft had previously reported that this security issue had been weaponized as a zero-day in attacks focusing on European government, transportation, energy, and military sectors since April 2022.
5. Recorded Future detailed a spear-phishing campaign by APT28 exploiting vulnerabilities including CVE-2023-23397 to install CredoMap malware, with the French National Cybersecurity Agency (ANSSI) also attributing similar attacks on a variety of targets to the same group.
6. Forest Blizzard is linked to Unit 26165 of the Russian Federation’s GRU and is known for sophisticated tactics and continual refinement of its malware arsenal, presenting attribution and tracking challenges.
7. The ubiquity of Microsoft Outlook in corporate settings makes it a prime target for attacks, being a major entry point for cyber threats, as emphasized by Check Point.
8. A separate, unrelated report by The Guardian alluded to “sleeper malware” breaches at the Sellafield nuclear waste site in the U.K. by Russian and Chinese hackers as far back as 2015, a claim not corroborated by the U.K. government.
Recommendation:
1. Organizations using Microsoft Outlook must ensure they have applied the required security patch for CVE-2023-23397.
2. Organizations should review and monitor permissions in their Exchange servers to prevent unauthorized access.
3. Continuous vigilance and updated cybersecurity measures should be maintained to protect against evolving threat actor tactics.