Summary

CERT-UA, Ukraine’s Computer Emergency Response Team, was the first to discover the vulnerability with a 9.8 CVSS score that affects all supported versions of Outlook for Windows. Microsoft reported that a group of Russian hackers took advantage of the NTLM vulnerability to attack a number of European and military organizations in 2022.

The Threat Intelligence team found evidence of limited, targeted exploitation of a Windows Outlook vulnerability that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the elevation of privilege (EoP) vulnerability.

Technical Details

By sending a specially designed email to a vulnerable system, remote attackers can gain access to the victim’s NTLM password hash. An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash, which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.

Windows NT LAN Manager (NTLM) is a collection of security protocols that employ hashed login credentials to verify identities in Windows domains. It should be noted that the Outlook Web app does not make use of NTLM for user authentication.

Mitigation

  • Microsoft urges its customers to install the most recent security updates available for Outlook for Windows to fix the NTLM vulnerability.
  • IT admins may additionally choose to block outbound TCP 445/SMB connections on their networks.
  • It’s recommended by Microsoft that administrators add local accounts to the Protected Users Security Group.
  •  A PowerShell script has been created by the company to discover and eradicate suspect items in both cloud and on-site situations.

All customers should update Microsoft Outlook for Windows to remain secure.

References:

Reach out to Messageware to improve Microsoft Exchange Server Security

If you are not protecting all the protocols used by your Exchange Server, you’re putting your company at a higher risk of a data breach.

Security incidents happen frequently. They cause disruption, loss of data and potentially risk the reputation of your company. However, if you implement these steps, you’re doing more than most other companies.

Have you heard about Messageware’s EPG that offers advanced Exchange Server security to protect organizations from a variety of logon and password attacks, as well as extensive real-time reporting and alerts of suspicious logon activity? Click here to learn more.