A prolific Russian state-sponsored APT group is actively exploiting a known vulnerability in Outlook to access email accounts in Exchange servers, Microsoft has warned.
APT28 (aka Forest Blizzard, Strontium, Fancy Bear) is known to target government, energy, transportation and non-governmental organizations in the US, Europe and the Middle East, Microsoft Threat Intelligence claimed on X (formerly Twitter).
“Microsoft Defender XDR detects activities affiliated with the exploitation of CVE-2023-23397, and additional mitigation info and guidance is detailed in our blog. Organizations should ensure systems are patched and kept up to date to mitigate this threat,” it added.
CVE-2023-23397 was first disclosed and patched as a zero-day bug in Microsoft’s March 2023 Patch Tuesday update round. It was described as a critical elevation of privilege vulnerability in Outlook with a CVSS score of 9.8.
An attack exploiting the bug could be executed without any user interaction simply by sending a specially crafted email, which triggers automatically when retrieved by the email server. This could mean a user’s machine is exploited before they’re even able to view the message in the Preview Pane.
All supported versions of Microsoft Outlook for Windows are affected, and it’s believed that APT28 had been exploiting the vulnerability for almost a year before it was patched by Microsoft.
The Redmond giant thanked the Polish Cyber Command (DKWOC) for helping it identify and mitigate techniques used by the Russian state actor.
Image credit: FellowNeko / Shutterstock.com