Microsoft Pins Outlook Zero-Day Attacks on Russian Actor
Description:
Microsoft’s threat intelligence team is blaming a “Russian-based threat actor” for newly disclosed in-the-wild attacks targeting a critical vulnerability in its flagship Microsoft Outlook software.
Issue:
One day after sounding an alarm for live exploitation of the Outlook security flaw, Microsoft said it traced the exploit to a Russian hacker targeting a limited number of organizations in government, transportation, energy, and military sectors in Europe.
Findings:
They didn’t identify the threat actor or provide indicators of compromise (IOCs) to help defenders hunt for signs of compromise. However, in a nod to the severity of the issue, the Microsoft Security Response Center (MSRC) published mitigation guidance and offered a CVE-2023-23397 script to help with the audit and cleanup.
CVE_ID :
- CVE-2023-23397
CVSS:
- 9.8
Source:
Impact:
- The new documentation describes the CVE-2023-23397 bug as a critical privilege escalation issue in Microsoft Outlook that is triggered when an attacker sends a message with an extended Message Application Program Interface (MAPI) property with a Universal Naming Convention (UNC) path to an SMB (TCP 445) share on a threat actor-controlled server.
Actions taken:
- “We strongly recommend all customers update Microsoft Outlook for Windows to remain secure,” Microsoft said.
- “To determine if your organization was targeted by actors attempting to use this vulnerability, Microsoft is providing documentation and a script at https://aka.ms/CVE-2023-23397ScriptDoc”.
Recommendation:
- Organizations should review the output of this script to determine risk.
- Tasks, email messages, and calendar items that are detected and point to an unrecognized share should be reviewed to determine if they are malicious.
- If objects are detected, they should be removed or clear the parameter.
- If no objects are detected, it is unlikely the organization was targeted via CVE-2023-23397.