Microsoft warns of critical Outlook vulnerability

As on every second Tuesday of the month, Microsoft also has this week updates published, with which previously recognized security gaps should be closed. This Tuesday there were 80 – and one of them stands out in particular, because Microsoft rates the associated vulnerability with a severity of 9.8 on a scale of 10.

This means it is “critical” because, according to Microsoft, it has been actively exploited via Outlook.

Microsoft suspects Russian hackers behind the attacks

What makes the attack particularly perfidious is that it does not even have to lead to user interaction, i.e. those affected do not have to click on an infected email to trigger the attack. Rather, it is already sufficient that the mail server accepts the message, he writes Mirror.

It is also interesting who appears to be exploiting this gap. Microsoft believes that “a Russia-based threat actor” used the vulnerability to “target attacks on a limited number of government, transportation, energy, and military organizations in Europe.”

All Outlook versions for Windows are affected

Bleeding computer reports that it is said to be the Russian hacker group APT28, which is said to be close to the Russian military intelligence service GRU. She is also known by the synonyms Fancy Bear and Sofacy.

The Federal Office for Information Security also warns of the vulnerability, which was given the designation CVE-2023-23397. All Outlook versions for Windows are affected. Attackers could use a manipulated e-mail to intercept Net-NTLMv2 hashes, that writes ministry.

Microsoft offers patch and script

The cybersecurity blog explains exactly how this works Cancer on Security. This attack allows cybercriminals to pose as trustworthy people to the server without having the password of a real user.

“This corresponds to an attacker who has access to the system via a valid password,” explained IT security expert Kevin Breen. Tapping the Net-NTLMv2 hashes is equivalent to cracking the password, so to speak.

Microsoft has asked all those potentially affected to apply the patch offered immediately. Administrators should also be able to see whether they have been attacked via the vulnerability via a script that is also made available. If this was the case, malicious files should be identified and “permanently” deleted.

Almost finished!

Please click on the link in the confirmation email to complete your registration.

Would you like more information about the newsletter? Find out more now

Leave a Reply

Your email address will not be published. Required fields are marked *