Microsoft warns of Russian hackers targeting vulnerable Outlook email accounts

Uses a vulnerability that was patched in March

Microsoft warns of Russian hackers targeting vulnerable Outlook email accounts

Image:
Microsoft warns of Russian hackers targeting vulnerable Outlook email accounts

Microsoft Threat Intelligence has warned that a prolific Russian hacking group is actively exploiting a known critical bug in Outlook to gain unauthorised to email accounts.

The group known as Forest Blizzard is also tracked by other names including APT28, Fancy Bear, BlueDelta, FROZENLAKE, Iron Twilight, Sednit and Sofacy. It is associated with the Russian military intelligence agency GRU and tends to focus on targets government entities, critical infrastructure and non-governmental organisations in the US, Europe and the Middle East.

A patch for the main flaw exploited by APT28, a critical vulnerability in Outlook for Windows CVE-2023-23397 (CVSS score 9.8), was provided by Microsoft in March. Only Windows versions of Outlook are affected.

CVE-2023-23397 is a privilege escalation flaw triggered when an attacker sends a specially crafted message to a Server Message Block (SMB) share on a server controlled by the attacker.

No user interaction is required; it is a click-less attack.

By elevating their privileges on the system, attackers can then change Outlook mailbox permissions on Exchange server to monitor targeted email accounts.

Microsoft says this vulnerability has been exploited by APT28 since April 2022. It thanked the Polish Cyber Command for helping it take action against Forest Blizzard.

GRU-affiliated hackers typically make use of other known flaws in widely used software too, according to Microsoft, including CVE-2023-38831 in WinRAR and CVE-2021-40444 in Windows MSHTML.

Recent attacks on Roundcube email clients used by government entities in Ukraine, among others, have also been pinned on APT28, which is known to be a highly sophisticated and adaptable threat actor.

Organisations are urged to patch CVE-2023-23397 and CVE-2023-29324 (a workaround for the CVE-2023-23397 flaw that was discovered later); Use scripts provided by Microsoft to check for attacks; reset passwords for any affected accounts and implement multi-factor authentication measure (MFA); and limit inbound SMB traffic by blocking ports 135 and 445.