#NSBCS.007 - A Frosty Outlook: Forest Blizzard exploits Microsoft Exchange
Source: NSB Cyber
A Frosty Outlook: Forest Blizzard Exploits Microsoft Exchange
Microsoft has observed a nation-state activity group based in Russia known as Forest Blizzard, that is actively exploiting CVE-2023-23397 to provide and gain unauthorised access to email accounts on Exchange servers. Read their post here.
Forest Blizzard primarily targets government, energy, transportation, and non-governmental organisations, utilising publicly available exploits in their attacks. Forest Blizzard continually refines its footprint by employing new custom techniques such as spear-phishing operations and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges in tracking their activities.
CVE-2023-23397 is a critical elevation of privilege vulnerability in Microsoft Outlook on Windows. This vulnerability allows attackers to leak the user's Net-NTLMv2 hash by exploiting a custom sound setting in Outlook, potentially granting access to other systems. A Net-NTLMv2 hash is a cryptographic value generated from a user's password using the NTLMv2 (NT LAN Manager version 2) protocol. It is used by Windows systems to authenticate users on networks and access resources.
The vulnerability exists in the way Outlook handles reminders and appointments. When a reminder or appointment notification is displayed, Outlook prompts the user with a pop-up window. This window contains a malicious link that, if clicked, can be used to exploit the vulnerability. Once exploited, the attacker can gain access to the victim's entire Outlook profile, including their emails, contacts, and calendar entries.
This vulnerability is relevant because it affects a widely used application and can be exploited remotely without any user interaction. This makes it a very easy target for attackers and creates concerns over the ability of threat actors to access sensitive information, such as emails and contact lists.
To mitigate this threat, it is important for organisations to maintain best practices to uphold cyber security resilience. Effective measures include:
Utilising Endpoint Detection and Response (EDR) solutions to identify and help prevent the exploitation of the vulnerability.
Educating users about common threat actor techniques to increase thte posture of organisations and reduce the attack vector entry points for groups like Forest Blizzard.
Reviewing and reporting suspicious messages or calendar items, and if need, examining networking or endpoint logging for potential indicators.
These measures are important steps to take in safeguarding the integrity, availability and confidentiality of your organisation’s data and sensitive information. NSB Cyber can help you implement and adopt these practices to enhance your cyber security resilience, and effectively take No Steps Backward.
For information on NSB Cyber’s Cyber Resilience capabilities or to book a meeting with our team, click here.
What we read this week
Nissan is investigating cyberattack and potential data breach - On December 6, 2023, Nissan confirmed a cyberattack targeting its systems in Australia and New Zealand. The company is investigating the incident and its potential impact on customer data. While the extent of the breach remains unclear, Nissan warns its customers of a potential data leak and urges them to be vigilant against scams and phishing attempts. The company is working with authorities and its global incident response team to determine the extent of the attack and if any personal information was compromised.
Navy contractor Austal USA confirms cyberattack after data leak - Austal USA, a shipbuilding company and contractor for the US Navy, confirmed a cyberattack and subsequent data leak. The Hunters International ransomware group claimed responsibility and released stolen information online. While Austal claims the attack was quickly mitigated and no classified or personal data was compromised, the exact type and amount of leaked information remains unclear.
Agent Racoon Backdoor Targets Organisations in Middle East, Africa, and U.S - A new backdoor, dubbed "Agent Racoon," has been discovered targeting organisations in the Middle East, Africa, and the United States. This malware leverages the Domain Name System (DNS) to create a covert communication channel and provide various backdoor functionalities. The malware's capabilities allows attackers to steal sensitive data, execute commands remotely, and gain complete control over compromised systems.
New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices - Security researchers have discovered a new variant of the P2PInfect botnet compiled for the MIPS architecture. This variant specifically targets routers and IoT devices, broadening its reach and potential impact. The new variant's ability to infect routers and IoT devices significantly expands the attack surface and increases the botnet's size and power. This could potentially lead to widespread denial-of-service attacks or large-scale data breaches.
Critical Bluetooth Flaw Exposes Android, Apple & Linux Devices to Takeover - A critical Bluetooth security vulnerability dubbed "CVE-2023-45866" has been discovered affecting Android, Apple, and Linux devices. This flaw allows attackers to exploit the Bluetooth pairing process and inject keystrokes, effectively taking control of the targeted device. The vulnerability's severity lies in its widespread impact on various platforms. An attacker within Bluetooth range of a vulnerable device can inject keystrokes, manipulate on-screen content, and potentially steal sensitive information.
References
https://www.bleepingcomputer.com/news/security/nissan-is-investigating-cyberattack-and-potential-data-breach/
https://www.bleepingcomputer.com/news/security/navy-contractor-austal-usa-confirms-cyberattack-after-data-leak/
https://thehackernews.com/2023/12/agent-racoon-backdoor-targets.html
https://thehackernews.com/2023/12/new-p2pinfect-botnet-mips-variant.html
https://www.darkreading.com/vulnerabilities-threats/critical-bluetooth-flaw-exposes-android-apple-and-linux-devices-to-keystroke-injection-attackFor further information on how to build and maintain cyber resilience and defend with confidence against the potential for cyber-attacks, including how to access NSB Cyber’s Cyber Threat Intelligence (CTI) reporting tailored to your enterprise technology, geography, sector or brand, contact us via our website or at info@nsbcyber.com.