A security lab has discovered a serious vulnerability in Microsoft Outlook targeting European government, military, energy and transport companies is being used. The vulnerability has the designation CVE-2023-23397 and is classified according to the Common Vulnerability Scoring System (CVSS) with a value of 9.8. The BSI also says: The attack occurs before the e-mail is opened or before it is displayed in the preview window - no action by the recipient is necessary!
The vulnerability allows an unauthorized attacker to compromise systems with a specially crafted email. This malicious email gives him unauthorized access to the recipient's credentials.
Attacks will increase
"Now that the first proofs of concept have already been published, it can be assumed that attacks on the CVE-2023-23397 vulnerability will increase," explains Umut Alemdar, Head of Security Lab at Hornetsecurity. "We therefore recommend that all Microsoft Outlook users install the security patches provided by Microsoft as soon as possible."
Thanks to Advanced Thread Protection (ATP), Hornetsecurity's modern security system is able to quarantine emails that want to exploit this vulnerability. "This prevents the emails from reaching the victim's inbox," Alemdar continues. “Thanks to ATP, our customers are already protected from this danger. In addition, Hornetsecurity's Security Lab has set itself the task of monitoring the threat landscape with eagle eyes in order to continue to guarantee our customers the best possible protection against the latest cyber threats".
Attack before preview
The Outlook vulnerability is already initiated by the Outlook client retrieving and processing a malicious email. An attack can thus occur even before the e-mail is displayed in the preview window. The attacker directs his victim into an environment he controls. This results in the victim's Net-NTLMv2 hash, a challenge-response protocol used for authentication in Windows environments, being leaked. The attacker can pass this information to another service, thereby authenticating themselves as the victim and further compromising the system.
The attack turns out to be less complex and, according to Microsoft, has already been observed in practice. The vulnerability was used to attack European government, military, energy and transport companies. Microsoft was first notified of CVE-2023-233397 by CERT-UA (Computer Emergency Response Team for Ukraine). A proof-of-concept created by Hornetsecurity's Security Lab team shows that the attack is particularly difficult to detect: all anti-malware and sandbox services included in VirusTotal failed to classify it as dangerous.
More at Hornetsecurity.com
About Hornetsecurity Hornetsecurity is the leading German cloud security provider for e-mail in Europe and protects the IT infrastructure, digital communication and data of companies and organizations of all sizes. The security specialist from Hanover provides its services via 10 redundantly secured data centers around the world. The product portfolio includes all important areas of e-mail security, from spam and virus filters to legally compliant archiving and encryption, to defense against CEO fraud and ransomware. Hornetsecurity has around 200 employees at 12 locations around the world and operates with its international dealer network in more than 30 countries.