In the evolving landscape of cybersecurity, the CVE-2023-23397 vulnerability has emerged as a critical concern for organizations globally. This blog post aims to dissect the intricacies of this vulnerability, its exploitation by threat actors, and provide guidance on mitigation strategies.
The Threat Actor: Forest Blizzard
CVE-2023-23397 gained significant attention when Microsoft identified a nation-state activity group, named Forest Blizzard (STRONTIUM), exploiting this vulnerability. This Russian state-sponsored threat actor, linked to the GRU's Unit 26165, has targeted entities in government, energy, transportation, and NGOs across the US, Europe, and the Middle East.
Nature of the Vulnerability
This vulnerability is a critical elevation of privilege issue in Microsoft Outlook on Windows. It is exploited via a specially crafted message containing the PidLidReminderFileParameter MAPI property, set to a Universal Naming Convention (UNC) path on a server controlled by the attacker. This triggers a Net-NTLMv2 hash leak, which can be used for authentication against systems supporting NTLMv2 or for offline password cracking.
Scope and Impact
Microsoft traced potential exploitation of CVE-2023-23397 to as early as April 2022, indicating its long-standing presence. Significantly, the vulnerability affects all versions of Microsoft Outlook on Windows, while Outlook on other platforms remains unaffected.
Investigating and Mitigating CVE-2023-23397
Understanding the Attack Technique
The exploitation of CVE-2023-23397 involves the Transport Neutral Encapsulation Format (TNEF) used by Outlook to transmit formatted email messages. Threat actors can manipulate the PidLidReminderFileParameter to secretly access email accounts, bypassing initial authentication and moving laterally within an organization's network.
Steps for Organizations
- Assessment of Compromise: Organizations should assess whether their users have been targeted or compromised by following a structured approach. This includes reviewing suspicious messages, analyzing network logs, and scanning for the PidLidReminderFileParameter in delivered messages.
- Comprehensive Threat Hunting: A thorough threat hunting strategy is crucial for detecting credential compromise. This involves reviewing security logs, such as firewall and proxy logs, and hunting for indicators of compromise (IOCs) related to CVE-2023-23397 exploitation.
- Monitoring Event Logs: Reviewing SMBClient event logs and other network telemetry can help identify potential exploitation. These logs can reveal failed outbound connection attempts to threat actor-controlled infrastructure, which might suggest an attempted exploit.
- Exchange Server Log Analysis: For organizations using Exchange Server, analyzing various log sources, including IIS logs, can reveal unauthorized access attempts or post-exploitation activities.
The CVE-2023-23397 vulnerability poses a significant threat to organizations using Microsoft Outlook on Windows. By understanding the nature of this vulnerability and implementing a comprehensive approach to threat hunting and log analysis, organizations can better protect themselves against such sophisticated cyberattacks. It is crucial to stay vigilant, keep systems updated, and continuously monitor for unusual activities within the network.