Hackers use known Microsoft Outlook Privilege Escalation Bug

News Summary:

  • Although Microsoft later determined that these operations were carried out by actors based in Russia, they were used in targeted attacks against a limited number of organizations.

  • In response to the discovery of a critical vulnerability in Microsoft Outlook, CVE-2023-23397, that is actively exploited by threat actors, Cisco Talos urges all Outlook users to update their email clients as soon as possible. as possible after the vulnerability is discovered. .

After exploiting this vulnerability, the attacks were carried out from mid-April to December 2022.

“PidLidReminderFileParameter” allows the client to specify the filename of the audio to play when the object’s callback expires.

Vulnerability CVE-2023-23397 affects all Microsoft Outlook products that run on the Windows operating system. This is a vulnerability in NTLM and can be exploited to steal credentials for easy access to an organization through a privilege escalation vulnerability. The threat author can create an email, calendar invitation, or task that contains the extended MAPI attribute “PidLidReminderFileParameter”.

This PidLidReminderFileParameter property is used by an attacker to specify a path to an attacker-controlled SMB share via a Universal Naming Convention (UNC).

An attacker can use the Net-NTLMv2 hash sent by a vulnerable system to form an NTLM relay attack against another system.