A major Microsoft Outlook for Windows vulnerability (CVE-2023-23397) that enables remote password hash theft by just receiving an email has been disclosed by security experts.
Microsoft issued a solution for the security hole yesterday, however NTLM-relay attacks have been using it as a zero-day vulnerability at least since mid-April 2022.
All Windows versions of Microsoft Outlook are impacted by the 9.8 severity-rated privilege escalation vulnerability.
Via the use of a simple phishing email, an attacker may utilize it to obtain NTLM credentials from the target. As exploitation happens while Outlook is open and the reminder is triggered on the system, there is no requirement for user engagement.
Using hashed login credentials, Windows New technology LAN Manager (NTLM) is a form of authentication for Windows domains.
NTLM authentication is still used on new systems to maintain compatibility with existing systems even though it has recognized hazards.
It operates using password hashes that a client sends to a server when attempting to access a shared resource, such SMB shares. These hashes can be used to authenticate on the network if they are stolen.
Microsoft said that delivering “a message with an extended MAPI attribute with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server” may allow an attacker to leverage CVE-2023-23397 to collect NTLM hashes.
The user’s NTLM negotiation message is sent across the connection to the remote SMB server, which the attacker can then exploit to authenticate against additional systems that accept NTLM authentication. A: Microsoft
Nevertheless, new technical information was disclosed immediately after Microsoft released the remedy by researchers at security consulting firm MDSec in order to exploit the problem.
Dominic Chell, a member of MDSec’s red team, examined a Microsoft script that scans Exchange message items for indications of exploitation using CVE-2023-23397, and found out how simple it would be for a threat actor to attack the flaw.
He discovered that the script could check the received mail items for the “PidLidReminderFileParameter” value and delete it if it was there.
Dominic Chell Message Alert
According to Chell, the sender can provide the filename that the Outlook client should play when the message reminder is activated by using this feature.
As the sender of an email shouldn’t be able to alter the sound for the new message alert on the recipient’s machine, how this was accomplished remains a mystery that the researcher was unable to solve.
Chell stated that it should be feasible to add a UNC path to activate the NTLM authentication if the property permitted a file name.
The researcher also found that the PidLidReminderFileParameter parameter could be exploited to force Microsoft Outlook to interpret a remote, malicious UNC path.
With the use of this knowledge, the researcher was able to construct a malicious Outlook email (.MSG) that contained a calendar appointment and would exploit the flaw by sending the target’s NTLM hashes to any server.
Afterwards, NTLM relay attacks may be leveraged to gain further access to corporate networks using these stolen NTLM hashes.
An attacker might potentially leverage Microsoft Outlook Tasks, Notes, or email messages in addition to calendar appointments to obtain the hashes.
Chell points out that CVE-2023-23397 may be exploited to force authentication to an IP address that is outside the Trusted Sites or Trusted Intranet Zone.
Ukraine’s Computer Emergency Response Team (CERT-UA) discovered the flaw and alerted Microsoft about it, perhaps after observing it being utilized in attacks on the company’s services.
The vulnerability was exploited, according to Microsoft, in targeted assaults on a number of European companies in the military, transportation, energy, and government sectors.
Threat Actor APT28
The threat actor APT28, also known as Strontium, Fancy Bear, Sednit, and Sofacy, is thought to be responsible for the assaults. APT28 has been connected to the Main Directorate of the General Staff of the Military Forces of the Russian Federation (GRU).
CVE-2023-23397 is thought to have been used in attacks against up to 15 companies, with the most recent incident taking place in December of last year.
After gaining access, hackers frequently utilize the open-source frameworks Impacket and PowerShell Empire to widen their reach and move on to additional valuable systems on the network to gather data.
In addition to using Microsoft’s script to check for symptoms of exploitation by confirming if message objects in Exchange come with a UNC path, administrators are strongly encouraged to priorities addressing CVE-2023-23397.