Microsoft’s Threat Intelligence has issued a warning regarding the active exploitation of the CVE-2023-23397 Outlook flaw by the Russia-associated APT28 group to seize control of Microsoft Exchange accounts. The APT28 group, also known as “Forest Blizzard,” “Fancybear,” or “Strontium,” has been flagged by Microsoft for exploiting the CVE-2023-23397 Outlook vulnerability to infiltrate Microsoft Exchange accounts and pilfer sensitive data.
APT28, alternatively referred to as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, has been operational since 2007, targeting governmental, military, and security entities globally. The group has been linked to various cyberattacks, including those during the 2016 Presidential election.
Operating under the Russian General Staff Main Intelligence Directorate’s (GRU) 85th Main Special Service Center (GTsSS) military unit, APT28 predominantly employs spear-phishing and malware-driven tactics in its campaigns.
In March 2023, Microsoft released guidance on investigating attacks exploiting the patched Outlook vulnerability identified as CVE-2023-23397. This vulnerability, a Microsoft Outlook spoofing flaw, could lead to an authentication bypass.
Recent observations by Microsoft’s Threat Intelligence have revealed that these state-sponsored actors primarily target government, energy, transportation, and non-governmental organizations across the US, Europe, and the Middle East.
Furthermore, the attackers frequently exploit multiple known vulnerabilities, such as CVE-2023-38831 in WinRAR or CVE-2021-40444 in Windows MSHTML.
To address this threat, Microsoft collaborated with the Polish Cyber Command (DKWOC) to identify and mitigate the malicious cluster activity.
According to DKWOC’s announcement, this technique involved modifying permissions to mailbox folders within Microsoft Exchange servers, granting unauthorized access to email correspondence. The attackers used this method after gaining entry to email accounts through CVE-2023-23397 (Microsoft Outlook Vulnerability) or password spraying.
Microsoft strongly advises organizations to patch their systems promptly and keep them updated to counter this threat.
In October, the French National Agency for the Security of Information Systems (ANSSI) warned of APT28’s targeting of various French organizations, including government entities, businesses, universities, and research institutes and think tanks.
ANSSI noted that the threat actors employed various techniques to evade detection, including compromising low-risk equipment located at the target networks’ periphery. In some instances, the group refrained from deploying any backdoors on the compromised systems.
ANSSI identified three attack techniques used by APT28 against French organizations:
- Searching for zero-day vulnerabilities
- Compromising routers and personal email accounts
- Utilizing open source tools and online services
ANSSI’s investigations confirmed APT28’s exploitation of the Outlook 0-day vulnerability CVE-2023-23397. Additionally, partners reported that during this period, the group exploited other vulnerabilities, including those affecting Microsoft Windows Support Diagnostic Tool (MSDT, CVE-2022-30190, also known as Follina), as well as those targeting the Roundcube application (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026).
