Microsoft has acknowledged that a critical vulnerability recently detected in Exchange Server has been actively exploited in the wild. The flaw, designated CVE-2024-21410 and provided with a CVSS rating of 9.8, is a privilege escalation vulnerability that could allow threat actors to obtain Windows New Technology LAN Manager (NTLM) credentials from email clients such as Outlook. Stollen NTLM credentials can then be re-used by the threat actor to authenticate as the victim and ultimately access their email account.
While Microsoft has not released any details regarding the particular threat actors observed exploiting the vulnerability, Russian state-sponsored cyber actors have a history of exploiting NTLM relay flaws in Outlook to target organizations in the energy, defense, and transportation industry as well as foreign affairs.
Microsoft has addressed CVE-2024-21410 in this week’s Patch Tuesday updates, in addition to CVE-2024-21413, another critical vulnerability in Outlook that could lead to remote code execution by bypassing security measures such as Protected View.
Source: The Hacker News
Analysis
Microsoft Exchange is a high value target for both state-sponsored cyber actors looking to obtain sensitive information and cyber criminals looking to encrypt or extort data for financial gain. CVE-2024-21410 appears to be very similar to CVE-2023-23397, another Critical NTLM relay vulnerability. In December 2023, Microsoft announced that it had observed the hacking arm of the Russian Main Intelligence Directorate (GRU), known as APT 28, exploiting CVE-2023-23397 in an attack that involved APT 28 sending malicious emails to vulnerable versions of Outlook via Microsoft Exchange. Once received, the user’s NTLM credentials was transferred via a connection to a device under APT 28’s control without any action on the part of the user. APT 28 can then use this hash value to authenticate themselves as the victim.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in appliances like Microsoft Exchange. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users were automatically notified if a vulnerable version of Exchange was detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.
Field Effect strongly encourages users of Microsoft Exchange to update to the latest version as soon as possible in accordance with Microsoft’s advisory. Additionally, users should enable Extended Protection for Authentication (EPA) to provide an additional layer of protection against this type of attack.
Related articles
