Attackers associated with the notorious Russian Fancy Bear threat group are exploiting a nine-month-old vulnerability in Microsoft Exchange against targets in Poland and potentially other countries.
Researchers from the Polish Cyber Command identified the attacks and observed the attackers exploiting CVE-2023-23397, an elevation-of-privilege vulnerability in Exchange that Microsoft first disclosed in March. At the time of the disclosure, attackers had already been exploiting the vulnerability as a zero day, including in attacks against organizations in Ukraine. The vulnerability enables an attacker to gain control of a target Exchange mailbox.
“CVE-2023-23397 is a critical elevation of privilege vulnerability in Microsoft Outlook on Windows. It is exploited when a threat actor delivers a specially crafted message to a user. This message includes the PidLidReminderFileParameter extended Messaging Application Programming Interface (MAPI) property, which must be set to a Universal Naming Convention (UNC) path share on a threat actor-controlled server (via Server message block (SMB)/transmission control protocol (TCP) port 445),” the Microsoft advisory says.
“In exploitation of CVE-2023-23397, threat actors can specify the value for the PidLidReminderFileParameter in specially crafted messages to trigger a Net-NTLMv2 hash leak to threat actor-controlled servers.”
In the attacks observed by the Polish Cyber Command, once the attackers gained access to a target mailbox, they then set about making changes to the permissions and settings of the mailbox.
“In the next stage of malicious activity, the adversary modifies folder permissions within the victim's mailbox[3]. In most cases, the modifications are to change the default permissions of the "Default" group (all authenticated users in the Exchange organization) from "None" to "Owner". By making this type of modification, the contents of folders that have been granted this permission can be read by any authenticated person within the organization,” the Polish Cyber Command advisory says.
“In cases identified by POL Cyber Command, folders permissions were modified, among others, in mailboxes that were high-value information targets for the adversary. As a result of this change, the adversary was able to gain unauthorized access to the resources of high-value informational mailboxes through any compromised email account in the Exchange organization, using the Exchange Web Services (EWS) protocol.”
The patch for this vulnerability has been available since March and Microsoft researchers encourage any organization that hasn’t deployed the fix to do so as soon as possible.
Fancy Bear, which Microsoft calls Forest Blizzard, is an APT group associated with the Russian GRU military intelligence agency, and it has a history of targeting organizations in government, energy, transportation, and other industries in many countries. The group is highly resourced and persistent and has a variety of custom tools as its disposal.
“Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities,” Microsoft said.