On Monday, Microsoft revealed detection of Kremlin-backed nation-state activity exploiting a now-resolved critical security loophole in its Outlook email service. The vulnerability facilitated unauthorized access to victims’ accounts within Exchange servers.
The intrusions were attributed to a threat actor known as Forest Blizzard (formerly Strontium), which is also identified under various aliases such as APT28, BlueDelta, Fancy Bear, FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422.
The security flaw in question, CVE-2023-23397 (CVSS score: 9.8), represents a severe privilege escalation bug that could permit an attacker to obtain a user’s Net-NTLMv2 hash. This hash could then be leveraged for a relay attack against another service, thereby authenticating as the user. Microsoft addressed this issue in March 2023.
The objective of the attacks, according to the Polish Cyber Command (DKWOC), was to gain unauthorized access to mailboxes belonging to public and private entities in the country.
“In the next stage of malicious activity, the adversary modifies folder permissions within the victim’s mailbox,” DKWOC explained. “In most cases, the modifications are to change the default permissions of the ‘Default’ group (all authenticated users in the Exchange organization) from ‘None’ to ‘Owner.'”
By doing so, the contents of mailbox folders granted such permissions could be accessed by any authenticated person within the organization. This enabled the threat actor to extract valuable information from high-value targets.
“It should be emphasized that the introduction of such modifications allows for the maintenance of unauthorized access to the contents of the mailbox even after losing direct access to it,” DKWOC added.
Microsoft previously disclosed that this security loophole had been exploited by Russia-based threat actors as a zero-day vulnerability in attacks targeting various sectors in Europe since April 2022.
Additionally, in June 2023, cybersecurity firm Recorded Future revealed a spear-phishing campaign orchestrated by APT28 exploiting vulnerabilities in the Roundcube webmail software, which coincided with activity utilizing the Microsoft Outlook vulnerability.
The National Cybersecurity Agency of France (ANSSI) also attributed attacks on government entities, businesses, universities, research institutes, and think tanks since late 2021 to the hacking group, utilizing various vulnerabilities, including CVE-2023-23397, to deploy implants such as CredoMap.
The group is believed to be connected to Unit 26165 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), the foreign intelligence arm of the Ministry of Defense.
In recent months, the group has been linked to attacks on various organizations in France and Ukraine, as well as the exploitation of the WinRAR flaw (CVE-2023-38831) to steal browser login data using a PowerShell script named IRONJAW.
Furthermore, cybersecurity company Proofpoint observed high-volume phishing campaigns leveraging CVE-2023-23397 and CVE-2023-38831 in late March and September 2023, respectively, targeting entities in Europe and North America.
Unit 42 of Palo Alto Networks, in a technical report published on December 7, 2023, attributed APT28 to cyberattacks targeting at least 30 organizations within 14 nations over the past 20 months, exploiting CVE-2023-23397.
The attacks spanned three campaign waves, occurring between March 18 and December 29, 2022, March 15 and 29, 2023, and August 30 and October 11, 2023. These organizations included critical infrastructure entities and those providing an information advantage in diplomatic, economic, and military affairs.
