APT28's Persistent Attacks Abuses Outlook Vulnerability, CVE-2023-23397 Since 2022
Researchers from Unit 42 added urgency to an advisory from Microsoft and Poland's Cyber Command (DKWOC) earlier this week, reporting that the Russian state-sponsored threat group, APT28 (aka Fighting Ursa, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, or Sednit), is actively exploiting organizations with the critical privilege escalation vulnerability CVE-2023-23397 in Microsoft Outlook. "Unit 42 researchers have observed this group using CVE-2023-23397 over the past 20 months to target at least 30 organizations within 14 nations that are of likely strategic intelligence value to the Russian government and its military." Dating back to March 2022, three campaigns associated with the vulnerability have been observed from Unit 42, with APT28 exploiting the vulnerability in at least three campaigns. The diverse set of targeted industries includes victims from ministries, critical infrastructure entities, and organizations related to energy, transportation, telecommunications, information technology, and the military-industrial base. The targeted nations encompass those associated with the North Atlantic Treaty Organization (NATO) and High Readiness Force Headquarters.
Analysis of over 50 samples from Unit 42 identifies a shrewd operation involving NTLM relay attacks through the Outlook vulnerability. 'Threat actors only use these exploits when the rewards associated with the access and intelligence gained outweigh the risk of public discovery of the exploit,' explains Unit 42. The second campaign and third campaigns run by APT28 took place in the second half of March 2023 and from August 30th to October 11th, 2023, respectively. APT28 proceeded to utilize exploits for CVE-2023-23397 and repeated techniques without much concern for attribution, as "the access and intelligence generated by these operations outweighed the ramifications of public outing and discovery."
The article serves as a warning to organizations, urging immediate patching of the mentioned vulnerability and a comprehensive defense configuration to safeguard against future attacks. The insight into APT28's persistent and strategic targeting provides a unique understanding of Russian military priorities, especially during times of international conflict. With multiple advisories underscoring the severity of CVE-2023-23397, a comprehensive approach is necessary to ensure a secure organization. Reiterating Microsoft's updated advisory, it is recommended to review user-reported suspicious messages and calendar items, examine network and endpoint logs for known atomic indicators, scan Exchange for messages with specific parameters, and remain vigilant for anomalous behaviors such as NTLM authentication involving untrusted resources and WebDAV connection attempts, which can be monitored through various logging and telemetry tools. Firewall logs should also be analyzed for any suspicious outbound SMB connections.