SenseOn Advisory on the Outlook Zero Day Vulnerability

Executive Summary

Product Impacted: Microsoft Outlook

Criticality score: 9.8 Critical

CVE-2023-23397

On the 14th March 2023, Microsoft published details of a critical Outlook vulnerability known to have been exploited by threat actors. The vulnerability, tracked under CVE-2023-23397, allows attackers to obtain NTLM hashes by sending specially crafted emails to a victim which will exploit the vulnerability without their interaction. 

According to Microsoft Security Resource Center (MSRC), this vulnerability has been actively exploited since April 2022 by the Russia-based threat actor APT28. The group have targeted numerous sectors in Europe including government, transport, energy, and military.

The crafted email will contain a MAPI property which has a path to an SMB share that the threat actor controls. Once the email is received the device will connect to the SMB share sending the user an NTLM negotiation message. This can then be reused for authentication against other NTLM supported systems. Online services including Microsoft 365 do not support NTLM authentication and therefore are not vulnerable to this exploit.

All currently supported versions of Outlook for Windows are impacted by this vulnerability and Microsoft has released a security update for this that SenseOn recommends. If it is not possible to apply these security updates, Microsoft has advised adding users to the ‘Protected Users Security Group’ which will prevent the use of NTLM for authentication. Alternatively, it is recommended outbound SMB connections (TCP port 445) are blocked.

Detection

SenseOn’s detection capabilities mean that we are able to provide coverage across the estate for post breach activities related to this vulnerability. SenseOn provides detections to identify abnormal external connections over uncommon protocols, which will allow us to identify attempts to communicate to external servers over SMB port 445. In addition to this, SenseOn have various detections targeting related behaviour patterns that the SenseOn SOC are monitoring. 

SenseOn’s approach to threat is to provide a mixture of behavioural and machine learning detections to identify behaviors such as lateral movement, command and control (C2) traffic and exfiltration. 

It is this coverage that allows SenseOn to accurately detect the subsequent behaviours of an attacker who may look to exploit CVE-2023-23397.

Microsoft have provided a script[2] which can be executed in PowerShell to detect exploit attempts on a device. SenseOn has updated the Hunt Library with the following queries so that you can also hunt through your own telemetry. 

CVE-2023-23397 – Vulnerable Outlook Instances

@placeholder('days','int','Days to look back',7)

WITH groupUniqArray(name) as names,
groupUniqArray(version) as versions
SELECT
  DISTINCT _hostname as Device,
  CASE
    WHEN lower(name) LIKE '%outlook%2016%' THEN 'Microsoft Outlook 2016'
    WHEN lower(name) LIKE '%outlook%2013%pack%' THEN 'Microsoft Outlook 2013 Service Pack 1'
    WHEN lower(name) LIKE '%office%2019%' THEN 'Outlook 2019'
    WHEN lower(name) LIKE '%365%apps%' THEN 'Microsoft 365 Apps for Enterprise'
    WHEN lower(name) LIKE '%office%ltsc%' THEN 'Microsoft Office LTSC 2021'
  END as Product,
  max(version) as ProductVersion,
  multiIf(
    (
      Product = 'Microsoft Outlook 2016'
      AND arrayStringConcat(names, '') LIKE '%KB5002254%'
    ),
    'patched',
    (
      Product = 'Microsoft Outlook 2013 Service Pack 1'
      AND arrayStringConcat(names, '') LIKE '%KB5002265%'
    ),
    'patched',
    (
      Product = 'Outlook 2019'
      AND ProductVersion LIKE '%.10396.20023'
    ),
    'patched',
    (
      Product = 'Microsoft 365 Apps for Enterprise'
      AND ProductVersion LIKE '%.16130.20306'
    ),
    'patched',
    (
      Product = 'Microsoft Office LTSC 2021'
      AND ProductVersion LIKE '%.14332.20481'
    ),
    'patched',
    'vulnerable'
  ) as Status
FROM
  endpoint_program
WHERE
  _time_observed >= toUnixTimestamp(subtractDays(now(), :days)) * 1000
  AND (
    (
      lower(name) LIKE '%outlook%2016%'
      OR lower(name) LIKE '%outlook%2013%pack%'
      OR lower(name) LIKE '%office%2019%'
      OR lower(name) LIKE '%365%apps%'
      OR lower(name) LIKE '%office%ltsc%'
    )
  )
  AND lower(name) NOT LIKE '%azure%'
GROUP BY
  _hostname,
  Product
HAVING
  Status != 'patched'

CVE-2023-23397 – External NTLM Authentications

@placeholder('days', 'int', 'How many days back to check', 7)
SELECT
  DISTINCT source_ip as SourceIP,
  groupUniqArray(source_hostname) as Hostnames,
  groupUniqArray(auth_username) as AuthenticationUsernames,
  dest_ip as Destination,
  groupUniqArray(dest_hostname) as UniqueHostnames,
  groupUniqArray(dest_geo_country_code) as ConnectionLocations,
  count(*) as Connections
FROM
  network_ntlm
WHERE
  _time_observed >= toUnixTimestamp(subtractDays(now(), :days)) * 1000
  AND dest_network = 'external'
GROUP BY
  source_ip,
  dest_ip
ORDER BY
  Connections DESC

Affected Software

Prevention

SenseOn strongly recommends updating to a patched version as soon as possible as this is the most effective way to protect yourself from the exploit. Microsoft has released a helpful update guide, which is linked below.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

Mitigation

Adding users to the ‘Protected Users Security’ group would prevent the of NTLM as an authentication mechanism, this however may cause issues for some users accessing NTLM applications.

Alternatively, Microsoft recommends blocking outbound TCP 445/SMB from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.[1]

Although no details have been confirmed,  MDSec has found a work around to blocking traffic on port 445 if WebClient is running[6]. Therefore, SenseOn’s primary recommendation is to patch any affected hosts.

FAQs

1. How can I find further information or assistance regarding this threat?
   • SenseOn customers can contact the SOC at any time.
   • Microsoft have published an announcement with details of this vulnerability on their website. [1]
2. How can I best mitigate this threat?
   • At present, the most effective means of mitigation is upgrading your Outlook install to a patched version that is not vulnerable, as documented in the Prevention section above.
   • Microsoft have also provided steps on how to mitigate this vulnerability if patching is not an option. [1]
3.  Can SenseOn detect this vulnerability?
   • Yes, SenseOn is able to provide coverage across the estate for post breach activities such as unauthorised use of credentials, lateral movement and more.
   • SenseOn have also created the following queries, these have been added these to Hunt Lab Query Library in the platform and are available above.
     • CVE-2023-23397 – Vulnerable Outlook Instances – This query identifies any vulnerable Outlook applications.
     • CVE-2023-23397 – External NTLM Authentications – This query identifies any external NTLM authentication attempts.

Sources

1. Microsoft Outlook Elevation of Privilege Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
2. Microsoft script to detect exploitation https://github.com/microsoft/CSS-Exchange/blob/a4c096e8b6e6eddeba2f42910f165681ed64adf7/docs/Security/CVE-2023-23397.md
3. KB5002254 https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-outlook-2016-march-14-2023-kb5002254-a2a882e6-adad-477a-b414-b0d96c4d2ce3
4. KB5002265 https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-outlook-2013-march-14-2023-kb5002265-a9d93b9d-21d1-4c5c-a9c0-0f911dde6659
5. Office security updates https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates
6. MDsec Proof of Concept
   https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/