Tech
Microsoft Outlook Warning: Critical New Email Exploit Triggers Automatically—Update Now
|
|
March 16 Update below. This post was originally published on March 15
Microsoft has confirmed that a critical Outlook vulnerability, rated at 9.8 out of a maximum 10, is known to have already been exploited in the wild. If you think that sounds bad, it get’s worse: the exploit is triggered upon receipt of a malicious email, and so is executed before that email is read in the preview pane. That’s right; this is a no-user-interaction required exploit. Here’s what we know about the new Microsoft Outlook zero-day.
What is CVE-2023-23397, the critical Microsoft Outlook zero-day vulnerability?
CVE-2023-23397 is a Microsoft Outlook elevation of privilege vulnerability that, according to the Microsoft Security Resource Center (MSRC), has already been used by a “Russia-based threat actor” in targeted attacks against government, transport, energy, and military sectors in Europe. Indeed, the Ukrainian Computer Emergency Response Team (CERT) is credited as reporting the zero-day to Microsoft.
Full technical details are, as yet, fairly thin on the ground. However, an MSRC posting says that the critical Microsoft Outlook vulnerability is “triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No interaction is required.” The posting continues to explain that the connection to a remote SMB (server message block) server sends the user new technology LAN manager (NTLM) negotiation message which is then relayed for authentication against supporting systems. “Online services such as Microsoft 365 do not support NTLM authentication,” the MSRC posting confirms, so are not vulnerable to this exploit.
All currently supported versions of Outlook for Windows are impacted, but not Outlook for the web or those running on Android, iOS, or Mac.
March 16 Update:
Google-owned threat intelligence company, Mandiant, says that it believes the CVE-2023-23397 Microsoft Outlook zero-day vulnerability has been exploited for nearly a year in order to target both organizations and critical infrastructure.
Russian ‘Fancy Bear’ state-sponsored threat actors have been exploiting CVE-2023-23397
In an email statement, Mandiant says it created ‘UNC4697’ to track the early exploitation of CVE-2023-23397, publicly attributed to the Russian military intelligence (GRU) connected threat actor, APT28, which is better known as Fancy Bear. It claims that the vulnerability has been exploited since April 2022 against government, defense, logistics, transportation, and energy targets based in Poland, Romania, Turkey, and Ukraine. These targets could, Mandiant says, facilitate strategic intelligence collection and disruptive or destructive attacks aimed both win=thin and outside of Ukraine.
“This is more evidence that aggressive, disruptive, and destructive cyberattacks may not remain constrained to Ukraine and a reminder that we cannot see everything,” John Hultquist, head of Mandiant Intelligence Analysis at Google Cloud, said. “These are spies, and they have a long track record of successfully evading our notice. This will be a propagation event. This is an excellent tool for nation-state actors and criminals alike who will be on a bonanza in the short term. The race has already begun.”
Multiple proofs-of-concept now widely available
Furthermore, Mandiant says that multiple proofs-of-concept are now widely available. Given that this is a no-user-interaction exploit, the potential for harm is high. Indeed, Mandiant says that it “anticipates broad, rapid adoption of the CVE-2023-23397 exploit by multiple nation-state and financially motivated actors, including both criminal and cyber espionage actors.”
Pass the Hash attack
In order to exploit CVE-2023-23397, which Mandiant says is ‘trivial’ to execute, an attacker needs to send a malicious email with an “extended MAPI property that contains a UNC path to SMB (TCP 445) share on an attacker-controlled server.” This kicks off what is known as a ‘Pass the Hash’ attack, but in this case, is triggered upon receipt of the email by an unpatched Outlook client, without the target even viewing it.
What do you need to do now?
The good news is that the warning concerning CVE-2023-23397 coincides with the release of the latest Patch Tuesday round of security updates for Microsoft users. Applying the relevant patch is therefore recommended. That said, if your organization is unable to apply these security updates immediately, then Microsoft has published some workaround mitigations. Adding users to the Protected Users Security Group will prevent the use of NTLM for authentication, but Microsoft warns that this could “cause impact to applications that require NTLM.” Alternatively, you can block outbound TCP 445/SMB using a firewall or through VPN settings.
What is the security industry saying about the Microsoft Outlook zero-day?
“Administrators should patch within the day if possible since the vulnerability is relatively simple to exploit, doesn’t require user interaction, and is already being exploited in the wild,” Peter Pflaster, a technical product manager at Automox, said. “Microsoft has shared two temporary mitigations if you’re unable to patch immediately, both of which will impact NTLM and applications that use it, so proceed with caution.”
“Given the network attack vector, the ubiquity of SMB shares, and the lack of user interaction required, an attacker with a suitable existing foothold on a network may well consider this vulnerability a prime candidate for lateral movement,” Adam Barnett, lead software engineer at Rapid7, said.
“A threat actor is currently exploiting this vulnerability to deliver malicious MSI (Microsoft Installer) files,” Bharat Jogi, director of vulnerability and threat research at Qualys, said.
“The attack can be executed without any user interaction by sending a specially crafted email which triggers automatically when retrieved by the email server,” Mike Walters, VP of Vulnerability and Threat Research at Action1, said. “This can lead to exploitation before the email is even viewed in the Preview Pane. If exploited successfully, an attacker can access a user’s Net-NTLMv2 hash, which can be used to execute a pass-the-hash attack on another service and authenticate as the user. The best course of action is to install the Microsoft update on all systems after testing it in a controlled environment.”
Counter-Strike 2 (CS2), the next evolution of Valve’s, long-running, ever-popular, and lucrative tactical first-person shooting game was revealed in mid-March 2023. But beyond several visual improvements and refinements to the high-stakes game, it appears as if the company is taking the opportunity to implement far stricter measures to counteract cheaters, who utilise third-party tools to gain an unfair advantage.
As spotted by Twitter user Aquarius and reported on by PC Gamer, a line in the source code of CS2 has indicated a new feature that will immediately cancel an in-progress match of Counter-Strike 2 if a player is detected using cheating tools.
The code, which appears to outline the conditions for certain notifications to pop up in-game, includes the phrases ‘Cheater Detected’ and ‘This match has been cancelled by VAC Live’.
‘VAC’ in this instance, of course, is an abbreviation for Valve Anti-Cheat, the company’s proprietary cheat monitoring solution. VAC was first introduced with Counter-Strike in 2002.
As PC Gamer astutely notes, this appears to be Valve taking a page out CS2’s closest competitor at the moment, Valorant, developed by Riot Games. Riot’s anti-cheat measures have included match cancellations since the game’s launch.
Counter-Strike has always been a game with high stakes, requiring exceptional levels of player investment and focus to succeed. Having your multiplayer experience ruined by a lopsided, unfair match can be incredibly demoralising, especially if you’re stuck in it for some time before you can move on. If Valve’s new anti-cheat measures do go ahead, it can only be a positive thing.
Don’t cheat in multiplayer games. That’s a loser move.
Counter-Strike 2 will launch on PC sometime in mid-2023.
Microsoft’s long-running introductory offer for its Xbox Game Pass subscription platform, which let users try the service out for $1 for the first month before moving onto more expensive payments, has finally come to a close.
- Off
- English
As The Verge report, the deal—which applied to both Xbox Game Pass Ultimate and the PC Game Pass—has recently been pulled, with a Microsoft spokesperson saying “We have stopped our previous introductory offer for Xbox Game Pass Ultimate and PC Game Pass and are evaluating different marketing promotions for new members in the future”.
What those “different marketing promotions” could be is anyone’s guess, though given the whole point of the $1 deal was get new users on the hook, a natural successor could easily be the Xbox Game Pass Friends and Family scheme, which while still unavailable in the US has been tested in a number of international markets since late 2022.
Anyone signed up for Game Pass will see months from existing subscriptions converted into partial months on the sharing plan. If you’re currently signed up for Xbox Game Pass Ultimate, every remaining month will turn into 18 days of Game Pass Friends and Family. Those signed up for the piecemeal tiers will see their subscriptions convert into 12 days of Game Pass Friends and Family.
There are some limitations, however. If you’re the account holder, you can only have four additional people on an account at any given time, and can only share with eight unique accounts over the course of a calendar year. And it’s region-locked: The primary account holder can only add members who live in the same country or region.
While that’s not a 1:1 replacement for the $1 offer, which was just a good deal for anyone, it does mean folks recommending Xbox Game Pass to friends or family would have a pretty easy way to get them onboard via their own account.
It sucks to see the $1 deal go away, since I’m sure many/most of you took advantage of it, but if you weren’t ready for the time Xbox decided to start doing stuff like this, you have not been paying enough attention to TV and sports over the last five years.
20th century Japanese poster art – in pictures | Art and design – The Guardian
Putin and his allies love buying art. To help us win the war in Ukraine, we should confiscate it – The Guardian
Judge Ron DeSantis By His Actions – The Atlantic
-
Investment16 hours agoFirst Republic Bank Stock: Why I Am Sticking To My Investment (NYSE:FRC)
-
Investment17 hours ago
The A.I. boom could also give a boost to these investing trends. How to play it
-
News24 hours ago
Biden visit: Trump calls Canada-U.S. deals ‘horrible’
-
Business16 hours ago
Thousands without power after Ontario windstorm
-
Sports23 hours ago
Despite 17 birdies, Rory McIlroy needs two trips to ‘friendly’ No. 18
-
News20 hours ago
Canada is set for its largest alcohol tax increase yet. Here’s what to know
-
Health19 hours ago
HPHA to close COVID, cold and flu clinics
-
Investment19 hours ago
Media advisory – Government of Canada to make investment in Canada’s semiconductor industry
