Threat Research

Guidance for investigating attacks using CVE-2023-23397 | Microsoft Security Blog

Securonix

Microsoft’s guidance explains how CVE-2023-23397 enables a secret Net-NTLMv2 hash leak via Outlook reminders and outlines Forest Blizzard (STRONTIUM), a Russian state-sponsored group linked to GRU Unit 26165, as an actor exploiting this vulnerability to access Exchange servers and compromise mailboxes. The article also provides threat hunting, detection, and mitigation steps to identify targeted activity and prevent credential leakage. #ForestBlizzard #STRONTIUM #CVE-2023-23397 #NetNTLMv2 #Outlook #ExchangeServer #GRU #Unit26165

Keypoints

  • CVE-2023-23397 is a critical elevation-of-privilege flaw in Outlook for Windows that triggers a Net-NTLMv2 hash leak via a crafted PidLidReminderFileParameter in a malicious message.
  • The vulnerability can be exploited without user interaction if Outlook is open when the reminder triggers, leveraging SMB/UNC paths to threat actor-controlled servers.

MITRE Techniques

  • [T1021.002] SMB/Windows Admin Shares – Post-exploitation usage of SMB to relay Net-NTLMv2 hashes to Exchange servers and other infrastructure. ‘Using a Net-NTLMv2 Relay attack against Exchange Servers’
  • [T1550] Credential Access: Relayed NTLM (Pass-the-Hash/NTLM Relaying) – Leak of Net-NTLMv2 hashes enabling authentication or offline cracking. ‘The vulnerability triggers a Net-NTLMv2 hash leak’
  • [T1566.001] Phishing: Spearphishing Attachment – Forest Blizzard leveraged WinRAR CVE-2023-38831 to adapt spear-phishing operations against targets. ‘leveraged the WinRAR CVE 2023-38831 vulnerability to adapt spear-phishing operations’
  • [T1112] Registry Key Modification – Potential registry modifications (e.g., OutlookTasks/OutlookNotes keys) as indicators of reminder-triggered activity. ‘registry keys will not exist’
  • [T1059] Command and Scripting Interpreter – WebDAV/SMB process invocation when attempting outbound connections or executing DLLs for credential leakage. ‘Process Creation events’ and example commands shown in WebDAV scenarios.

Indicators of Compromise

  • [IP] Known threat infrastructure – 101.255.119.42, 213.32.252.221, 168.205.200.55, 185.132.17.160, 69.162.253.21, 113.160.234.229, 181.209.99.204, 82.196.113.102, 85.195.206.7, 61.14.68.33 – associated with exploitation activity.
  • [File] Winmail.dat – TNEF attachment format commonly used to carry Outlook-specific content.
  • [File] reminder.wav – value set in the PidLidReminderFileParameter property used to trigger the hash leak.
  • [Registry Key] HKCUSoftwareMicrosoftOfficeOutlookTasks – indicator of Task reminder activity.
  • [Registry Key] HKCUSoftwareMicrosoftOfficeOutlookNotes – indicator of Note reminder activity.

Read more: https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint