Microsoft has confirmed the exploitation of a critical security vulnerability in Exchange Server which was addressed in February 2024 Patch Tuesday.
This acknowledgment comes just a day after the company issued fixes for the flaw as part of its routine Patch Tuesday updates.
CVE-2024-21410: Details
Identified as CVE-2024-21410 with a severity score of 9.8 (CVSS), the vulnerability pertains to a privilege escalation issue within Exchange Server. According to Microsoft, attackers could exploit this flaw to leak NTLM credentials, primarily targeting clients such as Outlook. These leaked credentials are then used to gain unauthorized privileges on the Exchange server, enabling malicious actors to execute operations on behalf of the victim.
Exploitation
The successful exploitation of this flaw facilitates the relay of a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange Server, thereby allowing the attacker to authenticate as the user. Microsoft has updated its bulletin to reflect the seriousness of the situation, categorizing it as “Exploitation Detected” and implementing Extended Protection for Authentication (EPA) by default with the Exchange Server 2019 Cumulative Update 14 (CU14) release.
While specific details regarding the exploitation and the identity of threat actors remain undisclosed, concerns have been raised about potential involvement from state-affiliated hacking groups, such as APT28 (also known as Forest Blizzard), known for exploiting vulnerabilities in Microsoft Outlook for NTLM relay attacks.
This critical flaw, CVE-2024-21410, compounds existing security concerns following the discovery of two other Windows vulnerabilities – CVE-2024-21351 and CVE-2024-21412 – both actively exploited in real-world attacks. Of particular note is CVE-2024-21412, which allows bypassing Windows SmartScreen protections and has been attributed to an advanced persistent threat group named Water Hydra (aka DarkCasino).
Furthermore, Microsoft’s Patch Tuesday update addresses CVE-2024-21413, a critical flaw in Outlook email software enabling remote code execution by circumventing security measures like Protected View. Termed MonikerLink by cybersecurity researchers, this vulnerability exposes users to various risks, including leakage of local NTLM credentials and potential remote code execution.
Given the severity of these vulnerabilities and their exploitation in the wild, Microsoft urges users to apply the latest security updates promptly to safeguard their systems and data from potential cyber threats.