Microsoft recently released guidance to help customers discover indicators of compromise (IoCs) associated with the recently patched, severe Outlook vulnerability known as CVE-2023-23397.
What Is CVE-2023-23397?
As explained by Microsoft in their advisory, CVE-2023-23397 is a critical elevation of privilege vulnerability that exists in Microsoft Outlook on Windows when a threat actor delivers a specially crafted message to a user. This message contains a PidLidReminderFileParameter extended Messaging Application Programming Interface (MAPI) property set to a Universal Naming Convention (UNC) path share on a threat actor-controlled server (via Server message block (SMB)/transmission control protocol (TCP) port 445).
This critical flaw, which carries the potential of privilege escalation, could be exploited by external attackers to send specially crafted emails that would allow them to steal NT Lan Manager (NTLM) hashes and stage a relay attack without the need of any user interaction. According to Microsoft’s advisory, this would result in the Net-NTLMv2 hash of the victim being leaked to the untrusted network, which the attacker can then relay to another service and authenticate as the victim.
How Is CVE-2023-23397 Exploited?
On April 2022, Microsoft’s incident response team discovered evidence that Russia-based threat actors were attempting to exploit a vulnerability in their system. As a result of this, the tech giant rolled out updates as part of their Patch Tuesday on March 2023 to resolve the issue. Unfortunately, the threat actors had already weaponized the flaw and used it to target government, transportation, energy, and military sectors in Europe. In one attack chain, a successful Net-NTLMv2 Relay attack was used to gain unauthorized access to an Exchange Server and modify mailbox folder permissions, granting persistent access.
What Are CVE-2023-23397’s Indicators of Compromise?
Organizations should analyze SMBClient event logs, Process Creation events, and any other available network telemetry to determine if CVE-2023-23397 has been exploited. To outline whether any unauthorized access was gained by a threat actor, authentication events, network perimeter logging, and Exchange Server logging (if applicable) must be examined, Microsoft said.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: