In a concerning development, Microsoft has issued a warning regarding an ongoing exploitation of a known vulnerability in Outlook by a highly prolific Russian state-sponsored Advanced Persistent Threat (APT) group. APT28, also known as Forest Blizzard, Strontium, or Fancy Bear, has gained notoriety for targeting government, energy, transportation, and non-governmental organizations across the United States, Europe, and the Middle East.
Vulnerability exploitation
Microsoft Defender XDR has detected suspicious activities directly linked to the exploitation of the CVE-2023-23397 vulnerability. As a result, organizations are urged to take immediate action by patching and updating their systems to mitigate this serious threat. It is imperative to note that CVE-2023-23397 was originally disclosed and addressed as a zero-day bug in Microsoft’s March 2023 Patch Tuesday update.
Method of attack
The concerning aspect of this vulnerability is the fact that an attacker can execute the exploit without any user interaction. By sending a carefully crafted email, the attacker can successfully exploit the vulnerability, granting unauthorized access to email accounts. Importantly, all supported versions of Microsoft Outlook for Windows are susceptible to this vulnerability, underscoring the need for comprehensive action to safeguard against potential breaches.
APT28 Exploitation Timeline
Perhaps even more alarming is the fact that APT28 had been effectively exploiting this vulnerability for nearly a year prior to Microsoft addressing and patching the flaw. This extended period of exploitation highlights the group’s ability to remain undetected and underscores the need for greater vigilance in the face of persistent threats. In recognition of their invaluable assistance in identifying and mitigating the techniques employed by the Russian state actor, Microsoft expressed gratitude to the Polish Cyber Command (DKWOC).
Active Exploitation of Other Vulnerabilities
Microsoft has also raised concerns about the potential exploitation of other publicly known vulnerabilities by APT28. Specifically, they have highlighted the possibility of the group targeting the CVE-2023-38831 and CVE-2021-40444 vulnerabilities. Details regarding the extent and nature of exploitation are yet to be fully revealed, but organizations are urged to take these potential threats seriously and ensure necessary security measures are in place.
The active exploitation of a known vulnerability in Outlook by the Russian state-sponsored APT group APT28 serves as a stark reminder of the persistent and evolving nature of cyber threats. Microsoft’s warning highlights the urgent need for organizations to prioritize patching and updating their systems promptly to prevent unauthorized access and potential data breaches. By doing so, they can significantly reduce their risk exposure and fortify their defenses against a wide range of adversaries. The heightened awareness regarding APT28’s activities across the United States, Europe, and the Middle East should serve as a call to action for enhanced cybersecurity measures, code reviews, and continuous monitoring to effectively thwart these sophisticated threats and safeguard critical infrastructure.