APT28 exploits Outlook CVE-2023-23397 in Europe
What happened
In March 2023 Microsoft disclosed and patched CVE-2023-23397, a critical elevation-of-privilege vulnerability in Microsoft Outlook for Windows. The flaw allows an attacker to send a specially crafted email that causes the victim's Outlook client to leak a Net-NTLMv2 authentication hash to an attacker-controlled server. According to Germany's BSI, which issued a cybersecurity warning, exploitation requires no user interaction and the vulnerability was already being actively exploited at the time of disclosure; Microsoft rated it CVSS 9.8 and released a fix on 14 March 2023.
According to Microsoft, the activity it tracks as Forest Blizzard (STRONTIUM), an actor publicly known to researchers as APT28, Fancy Bear, Sednit and Sofacy, exploited the vulnerability. The United States and United Kingdom governments have linked Forest Blizzard to Unit 26165 of Russia's military intelligence directorate, the GRU. Microsoft stated it traced potential exploitation of the flaw as early as April 2022, with leaked credentials used to gain unauthorized access to targeted accounts, move laterally and exfiltrate email.
Microsoft reported that the group primarily targets government, energy, transportation and non-governmental organizations across Europe, the United States and the Middle East. The stolen hashes could be relayed against other services to authenticate as the victim.
Assessment
The attribution to Russia's GRU (Unit 26165 / APT28) reflects the assessment of Microsoft and, for the GRU link, statements by the US and UK governments rather than an independently proven finding. The zero-click nature of CVE-2023-23397 and its use against government, military, energy and transportation targets are consistent with a state-sponsored cyber-espionage campaign aimed at credential theft and mailbox access. Continued exploitation reported through late 2023 indicates the flaw remained valuable to the actor well after patching, underscoring the risk posed by unpatched Outlook clients across European critical-infrastructure and government networks.
This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.