Mandiant experts believe that the Outlook zero-day vulnerability (CVE-2023-23397) has been used in Organization and Critical Infrastructure (KRITIS) attacks for almost 12 months and was also used by Russian actors in the Ukraine attack.
Mandiant has tracked and documented early exploitation of the vulnerability under the tentative group name UNC4697. The attacks have now been publicly attributed to APT28, a Russian actor associated with the GRU secret service. The vulnerability has been deployed against government agencies, logistics companies, oil and gas operators, defense contractors, and the transport industry in Poland, Ukraine, Romania, and Turkey since April 2022.
Outlook vulnerability exploited for longer
Mandiant believes the CVE-2023-23397 vulnerability will be rapidly and widely exploited by a variety of nation-state and financially motivated actors, including criminals and cyber espionage actors alike. In the short term, these players will race the patching effort to get a foothold in unpatched systems.
- Proof of concepts for the vulnerability, which does not require user interaction, are already widely available.
- Mandiant believes the vulnerability was not just used to gather strategic intelligence. Critical infrastructures inside and outside of Ukraine were specifically targeted. These are preparatory measures for disruptive or destructive attacks.
- Cloud-based email solutions are not affected by this vulnerability unless Outlook is used on Windows systems.
“This is further evidence that aggressive, disruptive and destructive cyberattacks may not be confined to Ukraine and a reminder that we cannot see everything. While preparing for an attack doesn't necessarily mean imminent danger, the geopolitical situation should give us cause for concern,” said John Hultquist, Head of Client Threat Intelligence at Google Cloud on the zero-day vulnerability.
“It is also a reminder that we are not able to see everything that is going on in this conflict. These are spies who have successfully evaded our attention for a long time. It's about distribution. The zero-day vulnerability is an excellent tool for both nation-state actors and criminals looking to make big profits in the short term. The race has already begun.”
More at Mandiant.com
About Mandiant Mandiant is a recognized leader in dynamic cyber defense, threat intelligence and incident response. With decades of experience on the cyber frontline, Mandiant helps organizations confidently and proactively defend against cyber threats and respond to attacks. Mandiant is now part of Google Cloud.