{"id":619642,"date":"2023-03-19T09:49:01","date_gmt":"2023-03-19T14:49:01","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/03\/19\/mandiant-dangerous-ms-outlook-zero-day-widely-used-against-ukraine\/"},"modified":"2023-03-19T09:49:01","modified_gmt":"2023-03-19T14:49:01","slug":"mandiant-dangerous-ms-outlook-zero-day-widely-used-against-ukraine","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/03\/19\/mandiant-dangerous-ms-outlook-zero-day-widely-used-against-ukraine\/","title":{"rendered":"Mandiant: Dangerous MS Outlook zero-day widely used against Ukraine"},"content":{"rendered":"<div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/visuals\/German\/article\/malware-ransomware-danger-adobe_searchsitetablet_520X173.jpg\" data-credit=\"Negro Elkha - stock.adobe.com\"  width=\"520\" height=\"173\" alt><\/p>\n<p>Negro Elkha &#8211; stock.adobe.com<\/p>\n<\/p><\/div>\n<div id=\"content-header\">\n<h2>A zero-day vulnerability in Microsoft Outlook that was fixed in the March Patch Tuesday update has likely been actively exploited by Russian actors for a year or more, and its use will now spread rapidly<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"Alex Scroxton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Alex-Scroxton\">Alex Scroxton,<\/a><br \/>\n\t\t\t\t\t\t<span>Security Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>16 Mar 2023 12:15<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>A serious elevation of privilege vulnerability in Microsoft Outlook, which was disclosed and patched earlier this week in <a href=\"https:\/\/www.computerweekly.com\/news\/365532714\/Microsoft-patches-Outlook-zero-day-for-March-Patch-Tuesday\">Microsoft\u2019s latest Patch Tuesday update<\/a>, has likely been exploited by Russian state-backed threat actors against Ukrainian targets for at least 12 months.<\/p>\n<p>John Hultquist, head of <a href=\"https:\/\/www.mandiant.com\/\">Google Mandiant Intelligence Analysis<\/a>, said that following its public disclosure, he anticipated broad and rapid adoption of CVE-2023-23397 by multiple nation state and financially motivated actors, probably including ransomware gangs. In the coming days and weeks, he warned, these groups will be engaged in a race to exploit the vulnerability before it\u2019s patched to gain a foothold in target systems. Computer Weekly understands that proof of concept exploits are already circulating.<\/p>\n<p>\u201cThis is more evidence that aggressive, disruptive and destructive cyber attacks may not remain constrained to Ukraine and a reminder that we cannot see everything,\u201d he said. \u201cWhile preparation for attacks do not necessarily indicate they are imminent, the geopolitical situation should give us pause.<\/p>\n<p>\u201cThis is also a reminder that we cannot see everything going on with this conflict. These are spies and they have a long track record of successfully evading our notice,\u201d said Hultquist. \u201cThis will be a propagation event. This is an excellent tool for nation-state actors and criminals alike who will be on a bonanza in the short term. The race has already begun.\u201d<\/p>\n<p>Exploitation of <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-23397\">CVE-2023-23397<\/a> begins by sending a specially crafted email to the victim, but because it\u2019s triggered server-side, can be exploited before the email is opened and viewed.<\/p>\n<p>This email will have been crafted with an extended Messaging Application Programming Interface property containing a Universal Naming Convention path to the Server Message Block (SMB) share on a server the attacker controls.<\/p>\n<p>When this email is received, a connection opens to the attacker\u2019s SMB share and the victim\u2019s Windows New Technology LAN Manager authentication protocol sends a negotiation message. This in turn can be seen and used by the attacker to discover the victim\u2019s Net-NTLMv2 hash, extract it, and relay it to other systems in the victim\u2019s environment, authenticating to them as the compromised user without needing to be in possession of their credentials.<\/p>\n<p>In this way, the attacker not only gains a foothold in their target environment, but is able to begin lateral movement. Mandiant considers it a high-risk vulnerability due to the fact it can be used to elevate privileges without user interaction.<\/p>\n<p>It was discovered by the national Computer Emergency Response Team (CERT) of Ukraine, <a href=\"https:\/\/cert.gov.ua\/\">CERT-UA<\/a>, alongside Microsoft researchers, and according to Mandiant, it has been widely exploited by Russia in the past year to target organisations and critical infrastructure in Ukraine, in the service of intelligence collection and disruptive and destructive attacks on the country.<\/p>\n<p>Mandiant has also seen it being used in attacks on targets in the defence, government, oil and gas, logistics, and transportation sectors in Poland, Romania and Turkey.<\/p>\n<p>Mandiant\u2019s research team has created a new designation \u2013 UNC4697 \u2013 to track exploitation of the zero-day, which is being widely attributed to APT28, an advanced persistent threat group backed by Russia\u2019s GRU intelligence agency, also known as <a href=\"https:\/\/www.ncsc.gov.uk\/news\/indicators-of-compromise-for-malware-used-by-apt28\">Fancy Bear<\/a> or Strontium. This is a high-profile threat actor previously implicated in Russian attacks on the International Olympic Committee and the <a href=\"https:\/\/www.computerweekly.com\/news\/252488915\/Russian-interference-in-US-elections-ramps-up-on-schedule\">US presidential elections of 2016 and 2020<\/a>. It frequently works with <a href=\"https:\/\/www.computerweekly.com\/news\/252515855\/Sandworm-rolls-out-Industroyer2-malware-against-Ukraine\">GRU actor Sandworm<\/a>.<\/p>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on Hackers and cybercrime prevention<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.computerweekly.com\/news\/365532714\/Microsoft-patches-Outlook-zero-day-for-March-Patch-Tuesday\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/software-update-patch-fotalia_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/software-update-patch-fotalia_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/software-update-patch-fotalia.jpg 1280w\" alt ><\/p>\n<h5>Microsoft patches Outlook zero-day for March Patch Tuesday<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/365530025\/Threat-activity-increasing-around-Fortinet-VPN-vulnerability\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g1159096305_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g1159096305_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g1159096305.jpg 1280w\" alt ><\/p>\n<h5>Threat activity increasing around Fortinet VPN vulnerability<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/waldman_arielle.jpg\" alt=\"ArielleWaldman\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Arielle\u00a0Waldman<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.computerweekly.com\/news\/252528934\/Russias-Turla-falls-back-on-old-malware-C2-domains-to-avoid-detection\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/malware-2-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/malware-2-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/malware-2-adobe.jpg 1280w\" alt ><\/p>\n<h5>Russia\u2019s Turla falls back on old malware C2 domains to avoid detection<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.computerweekly.com\/news\/252524828\/Mandiant-floats-off-into-Google-Cloud\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/cloud-datacenter-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/cloud-datacenter-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/cloud-datacenter-adobe.jpg 1280w\" alt ><\/p>\n<h5>Mandiant floats off into Google Cloud<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/365532660\/Mandiant-Dangerous-MS-Outlook-zero-day-widely-used-against-Ukraine\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Margarete Culton<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Negro Elkha &#8211; stock.adobe.com A zero-day vulnerability in Microsoft Outlook that was fixed in the March Patch Tuesday update has likely been actively exploited by Russian actors for a year or more, and its use will now spread rapidly By Alex Scroxton, Security Editor Published: 16 Mar 2023 12:15 A serious elevation of privilege vulnerability<\/p>\n","protected":false},"author":1,"featured_media":619643,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[228,89896,46],"tags":[],"class_list":{"0":"post-619642","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-dangerous","8":"category-mandiant","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/619642","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=619642"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/619642\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/619643"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=619642"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=619642"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=619642"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}