Russian hackers use old Outlook vulnerability to target Polish orgs (CVE-2023-23397)

Russian state-backed hacking group Forest Blizzard (aka Fancy Bear, aka APT28) has been using a known Microsoft Outlook vulnerability (CVE-2023-23397) to target public and private entities in Poland, Polish Cyber Command has warned.

Compromising email accounts and maintaining access to them

APT28 is known for targeting government, non-governmental, energy and transportation organizations in the US, Europe, and the Middle East.

The most recent attacks were detected and reported by the computer security incident response team of the Polish National Research institute (CSIRT NASK).

The attacks were further analyzed by Polish Cyber Command, who confirmed that the threat actors have been gaining access to email accounts within Microsoft Exchange servers and modifying folder permissions within the victim’s mailbox.

“Folders permissions were modified, among others, in mailboxes that were high-value information targets for the adversary. As a result of this change, the adversary was able to gain unauthorized access to the resources of high-value informational mailboxes through any compromised email account in the Exchange organization, using the Exchange Web Services (EWS) protocol,” Polish Cyber Command explained, and pointed out that the modifications allowed attackers to maintain unauthorized access to the contents of the mailbox even after losing direct access to it.

APT28 leverages CVE-2023-23397 to spy on organizations in Poland

How did APT28 gain access to the email accounts in the first place? Either through brute-force attacks or by exploiting CVE-2023-23397, Polish Cyber Command found.

CVE-2023-23397 is a critical elevation of privilege vulnerability that affects Microsoft Outlook for Windows. It was patched by Microsoft in March 2023 but, as the company’s Incident Response team says, there’s “evidence of potential exploitation of this vulnerability as early as April 2022.”

At the time of the release of the patch, CVE-2023-23397 was known to have been leveraged as a zero-day by a Russia-based threat actor “in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.”

CVE-2023-23397 can be exploited by sending to the target a specially crafted email message that triggers a reminder.

“The user does not need to interact with the message: if Outlook on Windows is open when the reminder is triggered, it allows exploitation. The connection to the remote SMB server sends the user’s Net-NTLMv2 hash in a negotiation message, which the threat actor can either a) relay for authentication against other systems that support NTLMv2 authentication or b) perform offline cracking to extract the password,” Microsoft explained.

Even though Microsoft urged users to patch the vulnerability in March (and later in May, because researchers found that a patch for another vulnerability could be bypassed to re-enable exploitation of CVE-2023-23397), it’s obvious that there are systems out there that are still unpatched and vulnerable.

Additional exploited vulnerabilities

In late March, Microsoft published detailed mitigations, indicators of compromise and methods for determining whether a company has been compromised by attackers exploiting CVE-2023-23397, and that advice still holds.

Polish Cyber Command has provided a toolkit that organizations can use to detect potentially suspicious mailbox folder sharing within Microsoft Exchange servers, and a list of recommendations and guidelines on what to do if compromise is suspected.

They assess that the adversary is sophisticated and has a thorough knowledge of the architecture and mechanisms of the Microsoft Exchange mail system.

The attackers also used commercial VPN services to blend their attack traffic and changed IP addresses when hitting different targets.

“Identification of this type of attack is challenging due to the intentional avoidance of using any offensive tools that could be detected by cybersecurity systems,” they said, and “building a custom detection requires the analysis of event logs, which are saved by default on mail servers.”

CVE-2023-23397 is not the only “old” vulnerability exploited by APT28 attackers: Microsoft’s Threat Intelligence team says that the group still leverages known public exploits for CVE-2023-38831 and CVE-2021-40444, even though fixes have been available for quite some time.