Russian state-sponsored hackers exploiting Outlook vulnerability, Microsoft warns


Microsoft is urging Outlook users to patch and update their systems to mitigate a new threat from Russia. Hackers associated with the Kremlin’s military intelligence agency GRU are exploiting the vulnerability to access victim’s emails.

Microsoft warned that a nation-state actor tracked as Forest Blizzard is actively exploiting a vulnerability to provide secret, unauthorized access to email accounts within Exchange servers. The US and the UK have linked this gang to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

No user interaction is required for hackers to modify folder permissions within the victim’s mailbox, according to Polish Cyber ​​Command, which partnered with Microsoft in the investigation of the attacks. The threat actors employ a specially crafted message, a reminder, which triggers a password hash leak to the hacker’s servers when Outlook is open.

“In cases identified by Polish Cyber ​​Command, folder permissions were modified, among others, in mailboxes that were high-value information targets for the adversary. As a result of this change, the adversary was able to gain unauthorized access to the resources of high-value informational mailboxes through any compromised email account in the Exchange organization, using the Exchange Web Services (EWS) protocol”, the report writes.

The dangerous vulnerability (CVE-2023-23397) is used to target all versions of Microsoft Outlook on Windows. Clients on other systems, such as Android or iOS, are unaffected.

“To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication,” Microsoft warns.

The company released a fix for this vulnerability on March 23rd, 2023.

According to Microsoft's naming taxonomy, all threat actors are aligned with the theme of weather, and Russian actors are all named as some kind of a Blizzard. Forest Blizzard primarily targets government, energy, transportation, and non-governmental organizations in the United States, Europe, and the Middle East.

The group also seeks and employs other publicly available exploits. Using a WinRAR vulnerability, the threat actor has targeted Ukrainian government agencies since at least September 2023, and it is known to use at least six other exploits.

“Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities,” Microsoft’s report reads.