Microsoft is urging Outlook users to update their software, reset passwords and enable MFA as unpatched systems are targeted.
Microsoft – which recently thwarted one the largest DDoS attack ever recorded – has issued a warning this week advising all Outlook users to update their software immediately after observing a nation-state threat actor actively exploiting a known vulnerability to target Exchange users.
Microsoft saw its Outlook services taken offline by the now-notorious hacking group Anonymous Sudan as recently as last month, another group thought to be linked to the Russian state who’ve targeted the tech giant on multiple occasions this year.
The fact that a patch for the vulnerability being exploited (as well as its bypass) has been available for months – yet is still being used to hack into systems – is a telling reminder of the importance of installing security updates.
Outlook Bug Being Exploited En Masse
Microsoft “has identified a nation-state activity group tracked as Forest Blizzard… based in Russia, actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers,” a security blog post published by the company this week reads.
According to Microsoft, the threat actor’s primary targets include government, energy, and transportation organizations, as well as some companies and entities based in the United States, Europe, and the Middle East that aren’t directly affiliated with state governments.
The company says it’s currently working with the Polish Cyber Command division to take action against the threat actors.
Microsoft also revealed that there is evidence that the Russian Federation’s military intelligence agency, the “Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU)” is behind the attack. Activities related to this group are also tracked by Microsoft as “Forest Blizzard” but also known as “Fancy Bear” or “APT28”.
Hackers Exploiting Already-Patched Vulnerability
As detailed on the company’s security blog, Microsoft initially patched this flaw (CVE-2023-23397) back in March 2023, when it discovered it as a zero-day thought to have been actively exploited since April 2022.
However, a bypass was discovered in May 2023 (CVE-2023-29324) which in turn forced Microsoft to release yet another patch to stop the onslaught of zero-click attacks.
Unfortunately, because updates patching these exploits require companies and organizations to install them – and not all of them have – both vulnerabilities are still being used by hackers to steal sensitive information from Outlook servers.
Microsoft’s Advice: Update Now
Along with this week’s update on precisely how this exploit is being used by hackers to target organizations across the Middle East, Europe, and the United States, Microsoft also highlighted a raft of security measures that businesses should be implementing to protect themselves.
The key advice is to ensure that the latest Microsoft Outlook security updates are applied. This advice should be heeded wherever your mail is hosted, the company says, be it Exchange Online, Exchange Server, or another platform.
However, there’s also a script you can run to check if your business’s servers have been targeted by one of these attacks. If you find out that members of your organization have been targeted, reset the passwords of any accounts that received suspicious reminders.
Microsoft also advises that businesses implement multi-factor authentication wherever possible. The full list of recommended security implementations is included in the blog post referenced earlier in this article.
