On December 4th, 2023, Microsoft revealed that it had observed the cyber wing of Russia’s Military Intelligence Directorate (GRU), known publicly as APT28, Sandworm, and STRONTIUM, exploiting several known vulnerabilities to target government, energy, transportation, and other key organizations in the United States, Europe, and the Middle East.
The primary attack vector is the exploitation of CVE-2023-23397, a critical privilege escalation vulnerability affecting Outlook on Windows. The bug was patched in March 2023 amid reports it had been exploited as a zero-day since April 2022 as part of a campaign against Ukrainian organizations.
The attack starts with a specially crafted phishing email that forces the recipient to automatically request a file from a remote server under APT28’s control.
Since this automatic request uses the Server Message Block (SMB) protocol, it automatically includes the victim’s Net-NTLMv2 hash which can then be used by APT28 to authenticate as the victim (pass-the-hash attack) or be decrypted (crack-the-hash attack). Once exploited, APT28 moved laterally within the victim's environment and conducted email theft from Outlook mailboxes.
In addition to CVE-2023-23397, APT28 has also been observed exploiting CVE-2023-38831 and CVE-2021-40444 in the same campaign. CVE-2023-38831 is a vulnerability in WinRAR that allows threat actors to execute arbitrary code when a user attempts to view a benign file within a ZIP archive, while CVE-2021-40444 is a remote code execution vulnerability in MSHTML, Microsoft’s proprietary browser engine for Internet Explorer. The vulnerability allows threat actors to embed malicious ActiveX controls in Microsoft Office documents that use MSHTML.
This campaign serves as a reminder that while APT28 does have the capability to develop zero-day exploits and novel malware it will still go after “low-hanging fruit” when the opportunity arises. In this case, APT28 likely realized that many of its targets were susceptible to known vulnerabilities and relatively simple attacks, such as exploiting the SMB protocol for NTLM hash capture.
Russian state-sponsored threat actors have a history of using this simple tactic. For example, the Russian Federal Security Service (FSB) was observed using this attack vector against European and North American energy companies between 2015 and 2017 during a campaign called Dragonfly. Once access was established via NTLM hash relay, the threat actor immediately began looking for industrial control systems accessible from the victim’s device.
Since the SMB protocol uses port 445, NTLM hash-based attacks can be prevented by simply blocking external connections to port 445. Additionally, the use of long and complex passwords makes the hash more difficult and time-consuming to crack, while the use of multifactor authentication (MFA) would help defeat pass-the-hash attacks.
Covalence users are automatically notified when external SMB connections on port 445 are observed within their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of Microsoft Outlook to update to the latest version as soon as possible.