adplus-dvertising
Connect with us

Tech

Microsoft Outlook Warning: Critical New Email Exploit Triggers Automatically—Update Now

Published

 on

March 16 Update below. This post was originally published on March 15

Microsoft has confirmed that a critical Outlook vulnerability, rated at 9.8 out of a maximum 10, is known to have already been exploited in the wild. If you think that sounds bad, it get’s worse: the exploit is triggered upon receipt of a malicious email, and so is executed before that email is read in the preview pane. That’s right; this is a no-user-interaction required exploit. Here’s what we know about the new Microsoft Outlook zero-day.

What is CVE-2023-23397, the critical Microsoft Outlook zero-day vulnerability?

CVE-2023-23397 is a Microsoft Outlook elevation of privilege vulnerability that, according to the Microsoft Security Resource Center (MSRC), has already been used by a “Russia-based threat actor” in targeted attacks against government, transport, energy, and military sectors in Europe. Indeed, the Ukrainian Computer Emergency Response Team (CERT) is credited as reporting the zero-day to Microsoft.

Full technical details are, as yet, fairly thin on the ground. However, an MSRC posting says that the critical Microsoft Outlook vulnerability is “triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No interaction is required.” The posting continues to explain that the connection to a remote SMB (server message block) server sends the user new technology LAN manager (NTLM) negotiation message which is then relayed for authentication against supporting systems. “Online services such as Microsoft 365 do not support NTLM authentication,” the MSRC posting confirms, so are not vulnerable to this exploit.

All currently supported versions of Outlook for Windows are impacted, but not Outlook for the web or those running on Android, iOS, or Mac.

March 16 Update:

Google-owned threat intelligence company, Mandiant, says that it believes the CVE-2023-23397 Microsoft Outlook zero-day vulnerability has been exploited for nearly a year in order to target both organizations and critical infrastructure.

Russian ‘Fancy Bear’ state-sponsored threat actors have been exploiting CVE-2023-23397

In an email statement, Mandiant says it created ‘UNC4697’ to track the early exploitation of CVE-2023-23397, publicly attributed to the Russian military intelligence (GRU) connected threat actor, APT28, which is better known as Fancy Bear. It claims that the vulnerability has been exploited since April 2022 against government, defense, logistics, transportation, and energy targets based in Poland, Romania, Turkey, and Ukraine. These targets could, Mandiant says, facilitate strategic intelligence collection and disruptive or destructive attacks aimed both win=thin and outside of Ukraine.

“This is more evidence that aggressive, disruptive, and destructive cyberattacks may not remain constrained to Ukraine and a reminder that we cannot see everything,” John Hultquist, head of Mandiant Intelligence Analysis at Google Cloud, said. “These are spies, and they have a long track record of successfully evading our notice. This will be a propagation event. This is an excellent tool for nation-state actors and criminals alike who will be on a bonanza in the short term. The race has already begun.”

Multiple proofs-of-concept now widely available

Furthermore, Mandiant says that multiple proofs-of-concept are now widely available. Given that this is a no-user-interaction exploit, the potential for harm is high. Indeed, Mandiant says that it “anticipates broad, rapid adoption of the CVE-2023-23397 exploit by multiple nation-state and financially motivated actors, including both criminal and cyber espionage actors.”

Pass the Hash attack

In order to exploit CVE-2023-23397, which Mandiant says is ‘trivial’ to execute, an attacker needs to send a malicious email with an “extended MAPI property that contains a UNC path to SMB (TCP 445) share on an attacker-controlled server.” This kicks off what is known as a ‘Pass the Hash’ attack, but in this case, is triggered upon receipt of the email by an unpatched Outlook client, without the target even viewing it.

What do you need to do now?

The good news is that the warning concerning CVE-2023-23397 coincides with the release of the latest Patch Tuesday round of security updates for Microsoft users. Applying the relevant patch is therefore recommended. That said, if your organization is unable to apply these security updates immediately, then Microsoft has published some workaround mitigations. Adding users to the Protected Users Security Group will prevent the use of NTLM for authentication, but Microsoft warns that this could “cause impact to applications that require NTLM.” Alternatively, you can block outbound TCP 445/SMB using a firewall or through VPN settings.

What is the security industry saying about the Microsoft Outlook zero-day?

“Administrators should patch within the day if possible since the vulnerability is relatively simple to exploit, doesn’t require user interaction, and is already being exploited in the wild,” Peter Pflaster, a technical product manager at Automox, said. “Microsoft has shared two temporary mitigations if you’re unable to patch immediately, both of which will impact NTLM and applications that use it, so proceed with caution.”

“Given the network attack vector, the ubiquity of SMB shares, and the lack of user interaction required, an attacker with a suitable existing foothold on a network may well consider this vulnerability a prime candidate for lateral movement,” Adam Barnett, lead software engineer at Rapid7, said.

“A threat actor is currently exploiting this vulnerability to deliver malicious MSI (Microsoft Installer) files,” Bharat Jogi, director of vulnerability and threat research at Qualys, said.

“The attack can be executed without any user interaction by sending a specially crafted email which triggers automatically when retrieved by the email server,” Mike Walters, VP of Vulnerability and Threat Research at Action1, said. “This can lead to exploitation before the email is even viewed in the Preview Pane. If exploited successfully, an attacker can access a user’s Net-NTLMv2 hash, which can be used to execute a pass-the-hash attack on another service and authenticate as the user. The best course of action is to install the Microsoft update on all systems after testing it in a controlled environment.”

728x90x4

Source link

Continue Reading

Business

Payments tech company Lightspeed Commerce conducting strategic review of business

Published

 on

 

MONTREAL – Lightspeed Commerce Inc. says it is conducting a review of its business and operations including talks relating to a range of potential strategic alternatives.

The Montreal-based payments technology company made the comments after reports concerning a potential transaction involving the company.

Lightspeed says it periodically undertakes a review of its business and operations with a view of realizing its full potential.

A strategic review is often seen by investors as a prelude to a sale by a company.

Lightspeed says its board of directors is committed to acting in the best interests of the company and its stakeholders.

Company founder Dax Dasilva returned to the role of chief executive officer earlier this year and has been working to return the company to profitability.

This report by The Canadian Press was first published Sept. 26, 2024.

Companies in this story: (TSX:LSPD)

The Canadian Press. All rights reserved.

Source link

Continue Reading

Economy

Bank of Canada trying to figure out how AI might affect inflation, Macklem says

Published

 on

 

OTTAWA – Bank of Canada governor Tiff Macklem says there is a lot of uncertainty around how artificial intelligence could affect the economy moving forward, including the labour market and price growth.

In a speech in Toronto at the Economics of Artificial Intelligence Conference, the governor said Friday that the central bank is approaching the issue cautiously to get a better understanding of how AI could affect its job of keeping inflation low and stable.

“Be wary of anyone who claims to know where AI will take us. There is too much uncertainty to be confident,” Macklem said in prepared remarks.

“We don’t know how quickly AI will continue to advance. And we don’t know the timing and extent of its economic and social impacts.”

The governor said AI has the potential of increasing labour productivity, which would raise living standards and grow the economy without boosting inflation.

In the short-term, he said investment in AI is adding to demand and could be inflationary.

However, Macklem also highlighted more pessimistic scenarios, where AI could destroy more jobs than it creates or lead to less competition rather than more.

The governor called on academics and businesses to work together to shed more light on the potential effects of AI on the economy.

“When you enter a dark room, you don’t go charging in. You cautiously feel your way around. And you try to find the light switch. That is what we are doing. What we central bankers need is more light,” he said.

This report by The Canadian Press was first published Sept. 20, 2024.

The Canadian Press. All rights reserved.

Source link

Continue Reading

Tech

United Airlines will offer free internet on flights using service from Elon Musk’s SpaceX

Published

 on

 

CHICAGO (AP) — United Airlines has struck a deal with Elon Musk’s SpaceX to offer satellite-based Starlink WiFi service on flights within the next several years.

The airline said Friday the service will be free to passengers.

United said it will begin testing the service early next year and begin offering it on some flights by later in 2025.

Financial details of the deal were not disclosed.

The announcement comes as airlines rush to offer more amenities as a way to stand out when passengers pick a carrier for a trip. United’s goal is to make sitting on a plane pretty much like being on the ground when it comes to browsing the internet, streaming entertainment and playing games.

“Everything you can do on the ground, you’ll soon be able to do on board a United plane at 35,000 feet, just about anywhere in the world,” CEO Scott Kirby said in announcing the deal.

The airline says Starlink will allow passengers to get internet access even over oceans and polar regions where traditional cell or Wi-Fi signals may be weak or missing.

The Canadian Press. All rights reserved.

Source link

Continue Reading

Trending