Concern grows as CVE-2023-23397 exploits proliferate

Share This Post

The exploit triggers NTLM authentication to an IP address (i.e. outside of a trusted internal network) as soon as the email is opened, whether or not the user chooses the remote image upload option. Talking about the POC CVE-2023-23397, MDSec’s Dominic Chell said he’s been using similar NTLM exploits in Red Teaming for a few years, adding “You can forward from outside to anything on the belt also supports NTLM.”

Critical Outlook exploit affects 32 and 64 bit versions of Microsoft 365 Apps for enterprise. Office 2013, 2016 and 2019. It is activated by sending a malicious email (which does not even need to be opened) which allows an attacker to obtain a Net-NTLMv2 hash (network protocols that respond to challenge requests. used for authentication in a Windows environment) of the recipient and thus authenticate as the victim.

The earliest evidence of exploitation, provided by Russian military intelligence, began in April 2022, targeting government, logistics, oil and gas, defense and transport industries in Poland, Ukraine, and Romania. and Turkey. Mandiant said these organizations were likely “targeted to gather strategic intelligence or prepare for a disruptive and destructive cyber attack inside and outside Ukraine.”

“This is a popular event,” said Mandiant Vice President John Hultqvuist. PoC exists and this vulnerability will become widespread,” he added, noting that “we [the security industry] don’t see everything. Looks like the GRU went unnoticed exploring critical infrastructure (pipelines/logistics) outside of Ukraine for a year.”

As one security researcher noted: “Luckily for us [the Green Team], it was extremely easy to detect. first. svchost generates rundll32 with the attacker’s UNC 2 path. svchost makes separate HTTP requests” — and Microsoft has now sent a detection script (if not already IOC), CVE-2023-23397.ps1, which, according to Redmond, “checks Exchange mail items (mail, calendar, etc.) and tasks) to see if an attribute is populated with a UNC path. If needed, admins can use this script to remove the attributes of malicious items or even permanently delete the items.

Read More:

Partnership Between Mitsubishi Electric and Nozomi Networks Strengthens Operational Technology Security Business

Mitsubishi Electric and Nozomi Networks Partnership Mitsubishi Electric and Nozomi...

Solidion Technology Inc. Completes $3.85 Million Private Placement Transaction

**Summary:** 1. Solidion TechnologyInc. has announced a private placement deal...

Analyzing the Effects of the EU’s AI Act on Tech Companies in the UK

Breaking Down the Impact of the EU’s AI Act...

Tech in Agriculture: Roundtable Discusses Innovations on the Ranch

Summary of Tech on the Ranch Roundtable Discussion: ...

Are SMEs Prioritizing Tech Investments Over Security Measures?

SMEs Dive Into Tech Investments, But Are...

Spotify Introduces Music Videos for Premium Members in Chosen Markets

3 Summaries of Spotify Unveils Music Videos for Premium...

Shearwater to Monitor Production at Equinor’s Two Oil Platforms

Shearwater GeoServices secures 4D monitoring projects from Equinor for...

Regaining Europe’s Competitive Edge in Innovation: Addressing the Innovation Lag

Europe’s Innovation Lag: How Can We Regain Our Competitive...

Related Posts

Government Warns of AI-Generated Content: Learn More about the Issue

Government issued an advisory on AI-generated content. All AI-generated content...

Africa Faces Internet Crisis: Extensive Outage Expected to Last for Months, Hardest-Hit Nations Identified

Africa’s Internet Crisis: Massive Outage Could Last Months, These...

FTC Investigates Reddit for AI Content Licensing Practices

FTC is investigating Reddit's plans...

Journalists Criticize AI Hype in Media

Summary Journalists are contributing to the hype and...