Microsoft released its monthly security bulletin this week, covering patches for over 80 vulnerabilities across its products. However, two of them had already been used by attackers before patches were released.
One vulnerability affects all supported versions of Outlook for Windows and allows attackers to steal Net-NTLMv2 hashes and then use them in NTLM (New Technology LAN Manager) relay attacks against other systems. The second allows attackers to bypass Microsoft SmartScreen, a technology built into Windows that performs checks on files downloaded from the internet through browsers.
NTLM hash-stealing flaw exploited by Russian state-sponsored APT
The Outlook vulnerability, tracked as CVE-2023-23397, is described by Microsoft as an elevation of privilege and is rated critical (9.8 out of 10 on the CVSS scale). Unlike remote code execution vulnerabilities, EoP vulnerabilities are rarely critical because they can't typically be exploited remotely and the attacker already needs to have some lower privileges on the system.
However, this flaw can be exploited by remote attackers without much effort. According to Microsoft's description, “the attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client.” Even worse, the email doesn't have to be opened, clicked on, or previewed by the user — simply receiving it is enough, because the flaw is located in Outlook's code to process it on arrival.
More specifically, an attacker would craft the message with an extended Messaging Application Programming Interface (MAPI) property that contains a UNC path to a remote SMB (TCP 445) share hosted on an attacker-controlled server. Server Message Block (SMB) is a file, network, and printer-sharing protocol widely used inside Windows networks that also supports inter-process communication.
The authentication used with SMB is NTLM and every time a Windows computer tries to access a remote resource over SMB it will send its NTLM hash, a cryptographic representation of its credentials that serves as an authentication token. The theft of NTLM hashes enables a type of attack called NTLM relay or pass-the-hash, where an attacker tricks a computer to send its hash and then passes it to another legitimate service that would accept that authentication.
Ukrainian team, Microsoft discovered the vulnerability
Microsoft credits CERT-UA, the Ukrainian government's Computer Emergency Response Team, as well as its own Microsoft Incident Response and Microsoft Threat Intelligence team with reporting this vulnerability. The company said that a Russia-based threat actor exploited this vulnerability in targeted attacks against government, transportation, energy, and military organisations in Europe. According to reports, that threat actor is STRONTIUM, also known in the security industry as Fancy Bear or APT28. The US government officially attributed Fancy Bear activity to a unit called Unit 26165 inside Russia's military intelligence agency, the GRU.
In addition to patching their Outlook clients on Windows systems, organisations can also block outgoing traffic from their networks on TCP port 445/SMB and can disable the WebClient service on their computers, which would prevent WebDAV attacks. Additionally, Microsoft recommends adding high-privileged accounts such as domain administrators or other sensitive accounts to the Protected Users Security Group. Doing this will prevent these users from using NTLM as an authentication mechanism.
The Microsoft Exchange team has separately developed a script that can be used by Exchange Server or Exchange Online administrators to determine if any of their users have been targeted with malicious emails that tried to exploit this vulnerability.
“Based on the simplicity by which this vulnerability can be exploited, we believe it’s only a matter of time before it is adopted into the playbooks of other threat actors, including ransomware groups and their affiliates,” Satnam Narang, senior staff research engineer at security firm Tenable, told CSO. “We anticipate CVE-2023-23397 to become one of the top vulnerabilities of 2023.” Researchers from security firm MDSec have already created a proof-of-concept exploit, which means that the exploit can easily spread to less sophisticated groups than government-sponsored APTs.
SmartScreen bypass vulnerability also patched
The second zero-day vulnerability patched during Patch Tuesday is tracked as CVE-2023-24880 and was reported to Microsoft in February by members of Google's Threat Analysis Group, which found it exploited by the group behind a ransomware program called Magniber.
The vulnerability allows attackers to create files that would bypass the security warning dialog displayed by Windows when users try to open an untrusted file downloaded from the internet. Windows automatically flags such files with a Mark-of-the-Web (MotW), which is Alternate Data Stream (ADS) inside the NTFS stream of a file when it's saved locally. NTFS is the default file system used by Windows. This ADS is called the ZoneId and if it has a value of 3 the file was downloaded from the internet and is checked by SmartScreen.
SmartScreen is a cloud-enabled anti-phishing and anti-malware technology that started out in Internet Explorer and Edge but has been built by default in Windows starting with Windows 8. It is specifically designed to check the reputation of files that have a Mark-of-the-Web.
According to Google TAG, the Magniber attackers exploited the vulnerability by using MSI (Microsoft Installer) files signed with an invalid but specially crafted Authenticode signature. The malformed signatures force SmartScreen to return an error and bypass the security warning. “TAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users in Europe — a notable divergence from Magniber’s typical targeting, which usually focuses on South Korea and Taiwan,” Google TAG said.
SmartScreen bypass likely to be used by bad actors
Other groups will likely adopt this SmartScreen bypass in their malware distribution campaigns as this has happened before. Back in September, the Magniber ransomware was delivered using JScript files with an attached Authenticode signature. Normally such signatures are not for JScript files, but for executables, but the researchers realised that they were attached to the JScript files to corrupt SmartScreen and bypass its security checks.
Other threat actors later started to use the same technique and bypass to spread the Qakbot malware, suggesting both the Magniber and Qakbot attackers purchased the bypass from the same source. Microsoft eventually patched that vulnerability in December 2022 as CVE-2022-44698, but it seems that the patch for CVE-2022-44698 did not cover all exploit variants.
“This security bypass is an example of a larger trend Project Zero has highlighted previously: vendors often release narrow patches, creating an opportunity for attackers to iterate and discover new variants,” the Google TAG members said. “When patching a security issue, there is tension between a localised, reliable fix, and a potentially harder fix of the underlying root cause issue. Because the root cause behind the SmartScreen security bypass was not addressed, the attackers were able to quickly identify a different variant of the original bug.”