Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a now-patched critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers.
The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the monikers APT28, BlueDelta, Fancy Bear, FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422.
The security vulnerability in question is CVE-2023-23397 (CVSS score: 9.8), a critical privilege escalation bug that could allow an adversary to access a user's Net-NTLMv2 hash that could then be used to conduct a relay attack against another service to authenticate as the user. It was patched by Microsoft in March 2023.
The goal, according to the Polish Cyber Command (DKWOC), is to obtain unauthorized access to mailboxes belonging to public and private entities in the country.
"In the next stage of malicious activity, the adversary modifies folder permissions within the victim's mailbox," DKWOC said. "In most cases, the modifications are to change the default permissions of the 'Default' group (all authenticated users in the Exchange organization) from 'None' to 'Owner.'"
In doing so, the contents of mailbox folders that have been granted this permission can be read by any authenticated person within the organization, enabling the threat actor to extract valuable information from high-value targets.
"It should be emphasized that the introduction of such modifications allows for the maintenance of unauthorized access to the contents of the mailbox even after losing direct access to it," DKWOC added.
Microsoft previously disclosed that the security shortcoming had been weaponized by Russia-based threat actors as a zero-day in attacks targeting government, transportation, energy, and military sectors in Europe since April 2022.
Subsequently, in June 2023, cybersecurity firm Recorded Future revealed details of a spear-phishing campaign orchestrated by APT28 exploiting multiple vulnerabilities in the open-source Roundcube webmail software, while simultaneously noting that the campaign overlaps with activity employing the Microsoft Outlook vulnerability.
The National Cybersecurity Agency of France (ANSSI), in late October, also blamed the hacking outfit for targeting government entities, businesses, universities, research institutes, and think tanks since the second half of 2021 by taking advantage of various flaws, counting CVE-2023-23397, to deploy implants such as CredoMap.
The state-sponsored group is assessed to be linked to Unit 26165 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), the foreign intelligence arm of the Ministry of Defense.
In recent months, it has also been connected to attacks on various organizations in France and Ukraine as well as the abuse of the WinRAR flaw (CVE-2023-38831) to steal browser login data using a PowerShell script named IRONJAW.
Cybersecurity company Proofpoint, in an independent analysis, said it observed high-volume phishing campaigns in late March and September 2023 that leveraged CVE-2023-23397 and CVE-2023-38831, respectively, to targets in Europe and North America.
"Their actions indicate that they seek to discover easily exploitable networks that have strategic interest to the adversary; however, it's unclear if the quantity of emails – more than 10,000 total since August 2023 – has been a tactical decision or an operator error," Greg Lesnewich, senior threat researcher at Proofpoint, told The Hacker News.
"Regardless, the payloads, tactics, and techniques used in these campaigns reflect TA422's ultimate shift away from compiled malware for persistent access on targeted networks to lighter-weight, credential-oriented access."
"Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities," Microsoft said.
The popularity of Microsoft Outlook in enterprise environments serves as a lucrative attack vector, making it "one of the critical 'gateways' responsible for introducing various cyber threats into organizations," according to Check Point, which laid out the various means by which the service could be abused by bad actors to deliver their exploits.
The development comes as The Guardian reported that the Sellafield nuclear waste site in the U.K. had been breached by hacking crews associated with Russia and China to deploy "sleeper malware" as far back as 2015. However, the U.K. government said it found no evidence to suggest that its networks had been "successfully attacked by state actors."
Update
Palo Alto Networks Unit 42, in an follow-up technical report published on December 7, 2023, attributed APT28 to cyber attacks targeting at least 30 organizations within 14 nations over the past 20 months by exploiting CVE-2023-23397.
The cybersecurity firm, which is calling the hacking crew Fighting Ursa, said the attacks spread over three campaign waves that took place between March 18 and December 29, 2022, March 15 and 29, 2023, and August 30 and October 11, 2023.
"Of the 14 nations targeted throughout all three campaigns, all are organizations within NATO member countries, except for entities in Ukraine, Jordan and the United Arab Emirates," Unit 42 noted. "These organizations included critical infrastructure and entities that provide an information advantage in diplomatic, economic and military affairs."
(The story was updated after publication to include additional details of the campaign from Proofpoint and Palo Alto Networks Unit 42.)