A recent cybersecurity threat has put millions of organizations at risk due to a critical Microsoft Outlook for Windows vulnerability. This vulnerability, CVE-2023-23397, allows hackers to steal hashed passwords by emailing remotely. This puts businesses in danger of having their sensitive data and systems compromised, leading to financial loss, reputational damage, and legal liabilities.
In response to this threat, Microsoft has released a PowerShell script that administrators can use to check if any users in their Exchange environment have been affected by this Outlook vulnerability. This script can help identify malicious items and allow administrators to purge or permanently delete them. The script can also modify or remove potentially harmful messages on a trusted Exchange server.
However, this vulnerability is not easy to detect, and even with the PowerShell script, organizations are still at risk. Dominic Chell, a red team member at MDSec, discovered that it’s easy for hackers to exploit this bug and steal NTLM hashes using a calendar in Microsoft Outlook. Chell found that by using the “PidLidReminderFileParameter” property within received mail items, a hacker can add a UNC path to trigger NTLM authentication and steal the NTLM hashes.
The stolen NTLM hashes can then be used to perform NTLM Relay attacks, giving hackers access to corporate networks. Attackers can also collect hashes and authenticate against an IP address outside the trusted intranet zone or sites using Microsoft Outlook tasks, notes, or emails.
To protect your organization from this threat, it’s crucial to immediately apply the released fix for the vulnerability, add users to the Protected Users group in Active Directory, and block outbound SMB (TCP port 445) as a temporary measure to minimize the impact of the attacks.
Organizations should also educate employees on identifying phishing emails and other suspicious messages. This includes looking out for strange links, attachments, or requests for sensitive information. Ensuring that all software and systems are updated regularly with the latest security patches is essential.
Organizations need to take proactive steps to protect themselves from this threat, including implementing the recommended solutions from Microsoft and educating their employees. Companies may avoid becoming victims of this vulnerability and secure their sensitive data and systems by remaining watchful and adopting the required steps.
