Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Russian Espionage Group Hammers Zero-Click Microsoft Outlook Bug

State-sponsored actors continue to exploit CVE-2023-23397, a dangerous no-interaction vulnerability in Microsoft's Outlook email client that was patched in March, in a widespread global campaign.

4 Min Read
Russian flag on digital matrix background
Source: Klaus Ohlenschlaeger via Alamy Stock Photo

An espionage group linked to the Russian military continues to use a zero-click vulnerability in Microsoft Outlook in attempts to compromise systems and gather intelligence from government agencies in NATO countries, as well as the United Arab Emirates (UAE) and Jordan in the Middle East. 

A spate of recent attacks in September and October by the Fighting Ursa group — better known as Forest Blizzard, APT28, or Fancy Bear — is the third wave to use the dangerous Outlook privilege-escalation vulnerability, tracked as CVE-2023-23397, which allows attackers a way to steal a user's password hash by coercing the victim's Microsoft Outlook client to connect to an attacker-controlled server without user interaction.

So far, the advanced persistent threat (APT) has targeted at least 30 organizations in 14 countries using an exploit for the bug, network security firm Palo Alto Networks stated in an analysis published Dec. 7. The attacks focus on organizations related to energy production and distribution, oil and gas pipelines, and government ministries in charge of defense, the economy, and domestic and foreign affairs.

"It's one thing to suspect a nation or industry is at risk from a nation-state APT actor — it's another to be able to examine an APT's campaigns in depth and provide concrete observations as to which nations and industries are being targeted," says Michael Sikorski, vice president and chief technology officer for the Unit 42 threat intelligence team at Palo Alto Networks. "Given that 11 of the 14 nations targeted throughout all three campaigns are NATO members, we assess that intelligence regarding NATO, Ukraine, and its allies remains a high priority for the Russian military."

Targeting NATO, Ukraine, and the Middle East

The espionage campaigns targeting the vulnerability happened in three waves: an initial wave using the Outlook bug as a zero-day flaw between March and December 2022, then in March of this year following the patch for the issue, and the most recent campaign, in September and October, according to Palo Alto Networks' analysis. The targets included one of the nine NATO Rapid Deployable Corps, a unit focused on rapid response to a variety of incidents, including natural disaster, counterterrorism, and war fighting, the firm stated.

Researchers at multiple firms have linked the APT to Unit 26165 of the Russian Federation's military intelligence agency, otherwise known as the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

"Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities," Microsoft stated in an analysis updated on Dec. 4

Microsoft worked with the Polish Cyber Command to investigate the attack and develop mitigations against the attackers. Poland is one of the nations targeted by the Outlook-exploitation campaign.

CVE-2023-23397: No Longer Zero-Day, but Still Valuable

First patched in March, the Microsoft Outlook vulnerability allows a specially crafted email to trigger a leak of the users Net-NTLMv2 hashes, and does not require any user interaction. Using those hashes, the attacker can then authenticate as the victim to other systems that support NTLM authentication.

Microsoft addressed the original vulnerability issue with a patch that essentially prevented the Outlook client from making malicious connections. However, soon thereafter, a researcher from Akamai examining the fix found another issue in a related Internet Explorer component that allowed him to bypass the patch altogether. Microsoft assigned a separate identifier for the new bug (CVE-2023-29324) and issued a patch for it in May's Patch Tuesday release.

In the latest attacks using what some termed 2023's "It" bug, the behavior suggests the "access and intelligence generated by these operations outweighed the ramifications of public outing and discovery," Palo Alto Networks stated in its analysis.

Palo Alto Networks has urged its customers to patch the vulnerability, but the company has no data on how many — or how few — companies have taken the defensive measure, says Sikorski.

"We have been following this CVE since it was announced, and have also been closely monitoring Russian threat activity since before the invasion of Ukraine," he says. "Based upon Fighting Ursa's ... continued exploitation attempts against this vulnerability, we assess that organizations have either failed to patch or improperly configured their systems."

The Outlook vulnerability is not the only one exploited by Fancy Bear. Microsoft's analysis points out that the group also exploited a vulnerability in the WinRAR archiving utility (CVE 2023-38831) in early September, and six other software flaws in recent months.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights