A critical vulnerability (CVE-2023-23397) in Microsoft Outlook/365 applications suite is actively being exploited in the wild, requiring urgent patching.

Why worry about CVE-2023-23397?

The CVSS 9.8 bug allows remote, unauthenticated attackers to breach systems and steal credentials by sending a specially crafted email. The malicious email triggers automatically when processed by the Outlook client, even before being viewed in the Preview Pane.

What is impacted by CVE-2023-23397?

This vulnerability affects 32 and 64-bit versions of Microsoft 365 Apps for Enterprise, Office 2013, 2016, and 2019 (including LTSC).

How the attack works

The attack is initiated through a malicious email that causes a connection from the victim to a location under attacker control, leaking the Net-NTLMv2 hash of the victim to the attacker who can then authenticate as the victim.

What you can do about CVE-2023-23397

Microsoft suggests mitigations such as adding users to the “Protected Users Security Group” and blocking TCP 445/SMB outbound from your network. The vulnerability was found by CERT-UA, Microsoft Incident Response, and Microsoft Threat Intelligence.

At least 15 European organizations in government, military, energy, and transportation sectors have been targeted with the attacks attributed to Russian military intelligence.

We strongly advise immediate patching or implementation of the suggested mitigations. Remember with patching, start with a test group first. For more information on patch best practices, I’d recommend watching SecOps 140: Windows 10 & 11 Patching.

Further attacks are expected as the patch is reverse-engineered, and more threat actors identify the exploit.

If you have any questions, concerns or would like further information, please do not hesitate to reach out to our security desk or one of our security advisors.

On Monday, January 23rd, CISA officially recognized and posted an advisory (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) for both public and private entities warning against a set of exploits that bring a high risk of abuse.

Attackers are actively exploiting a number of Zoho ManageEngine products including but not limited to: Active Directory 360, ADSelfServicePlus, ADManagerPlus, EndPoint Central, & EndPoint Central MSP.

According to a recently released security advisory (https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html) connected to a confirmed CVE (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47966), at least 24 individual ManageEngine products may be affected by this critical exploit.

The exploit allows for remote code execution which can instantly lead to total SYSTEM level access. A scan of internet facing devices estimates that at least 10% of all exposed instances of ManageEngine products may be vulnerable.

If the ManageEngine products currently or have ever had SAML authentication enabled, they may be vulnerable. Remediation relies on having the latest patches, so please refer to this advisory page (https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html) to download the necessary upgrades/hot fixes for your product.

Since this exploit covers such a wide range of ManageEngine products, now might be a good time to run a Galactic scan on your environment as well as your clients for previously unknown software that may belong to the Zoho ManageEngine family.

ManageEngine products are heavily used both within the MSP space as well as across enterprises worldwide. Federal agencies are being given 3 weeks, until February 13th to patch these exploits. Please check your environments for this vulnerability.

Based on previous data from the dark-web and underground sources, we have seen that ManageEngine products are a prime target (https://www.bleepingcomputer.com/news/security/hackers-sell-access-to-your-network-via-remote-management-apps/) for both cyber-attackers and brokers of stolen data.

If you have any questions, concerns or would like further information, please do not hesitate to reach out to our security desk or one of our security advisors.

A number of Comcast customers logged into their Xfinity email accounts only to discover that they had been hacked. The source of these widespread attacks seems to be an exploit that allows an attacker to bypass Xfinity two-factor authentication (2FA) for Xfinity accounts.

A quick look into the hacker underground reveals that there is a privately circulated tool that bypasses the one-time-passcode (OTP) used in 2FA. First, the attackers compromise an Xfinity email account by using stolen passwords that have been leaked on the Dark Web. From there, they login with the stolen passwords and use a private 2FA bypass tool to get around phone verification.

After that, the password is reset, and any backup or secondary emails are changed to one the attacker controls. Once the threat actors have access to the Xfinity email, they use this email to attempt a password reset on other services with the ‘Forgot my Password’ feature.

They have been observed using this method to compromise DropBox, EverNote and even cryptocurrency exchange accounts such as Coinbase and Gemini.

There are a few important things to note in these attacks:

• 2FA was not enough. The hackers bypassed it.

• Those who regained access to their accounts did so because they noticed a change in 2FA from monitoring their email accounts.
• The accounts were originally compromised via “credential stuffing” which uses leaked passwords found on the Dark Web

These are all common pain points that Galactic Scan monitors for. This is why we add findings to our reports related to leaked passwords, as well as providing educational training videos on the weaknesses in MFA and how to use alerting to stay prepared against being compromised.

Comcast has not released an official statement as of this communication, and it is unknown how many accounts were compromised. If you have a Comcast email account, we recommend that you immediately update your password and check the recovery email and 2FA information you have on file. Reach out to Comcast Xfinity support if necessary.

It is also a good idea to review your other accounts and services in case they are compromised.

If you have any questions or concerns, contact us!