Risk Advisory: Microsoft Outlook Elevation of Privilege Vulnerability

Thursday, 16 March, 2023

Microsoft Outlook

Cydea’s risk advisories are intended for senior management to aid their understanding of current events and the cyber risk posed to their organisations.

Your IT team should install the patches for Microsoft Office released by Microsoft on Tuesday the 14th of March.

What has happened?

If your organisation uses Microsoft Outlook as your email client then you may be vulnerable to a new critical vulnerability which Microsoft disclosed on the 14th of March 2023. The vulnerability is exploited when any user receives a malicious email and it is downloaded by the Outlook application; the user does not need to open or interact with the email.

The vulnerability has been exploited by a suspected Russian-based threat actor in targeted attacks against European government, transport, energy and military sectors. It was reported to Microsoft by the Ukrainian Computer Emergency Response Team.

The issue only affects Outlook running on Microsoft Windows. It does not affect those using the Outlook apps on Android, iOS or MacOS. It applies to those using both on-premise Microsoft Exchange and cloud-based Microsoft 365 for their email.

Exploiting the vulnerability allows an attacker to capture a user’s hashed password and this can then be used to access all of the user’s Microsoft resources. The vulnerability is tracked as CVE-2023-23397, is scored 9.8 out of 10 and is rated as critical.

As Microsoft has now offered patches and mitigation techniques for this exploit, if in the future your organisation is attacked using this exploit and you have not taken action then you may find that your cyber insurance will provide less cover, or that you are exposed to increased regulatory fines. The National Cyber Security Centre recommends that critical updates, such as this, be applied within 14 days.

What is the risk?

Once the user’s hashed password has been compromised, the attackers can reuse this to authenticate themselves as that user for other services that are authenticated using their Microsoft Windows credentials. This may allow them to steal data from company email or file systems and use their access to install ‘backdoor’ remote access.

The actors appear to be motivated by gathering data for espionage purposes. These covert intentions limit the consequences of this risk, though this risk is evolving as cybercriminals investigate the use of the vulnerabilities (see below How may it evolve?).

Source:

  • State sponsored (suspected to be Russian-linked)

Risk events:

  • System Intrusion (Ability to install additional malware, Ransomware, etc)
  • Information Breach (Unauthorised access to systems; Unauthorised access to information)

Consequences:

  • Financial (Unplanned response costs)
  • Operations (Business disruption, service disruption)

How may it evolve?

Due to the simplicity of the attack it is likely that similar exploits will be developed using the same principles or, when this exploit is available in the public domain, it will be used extensively. Although the initial targets were European government and critical infrastructure providers, we expect cyber criminals will be far less targeted in their approach and send malicious emails to as many organisations as possible in the hope of finding those who are vulnerable.

Source:

  • Criminal

Risk events:

  • System Intrusion (Ability to install additional malware, Ransomware, etc)
  • Information Breach (Unauthorised access to systems; Unauthorised access to information)

Consequences:

  • Financial (unplanned costs; theft of money; theft of data)
  • Compliance (regulatory fines)
  • Operations (business disruption; other harms)
  • Strategic (damaged reputation; embarrassing reporting)

What action is required?

For all organisations that use Microsoft Outlook, whether with on-premises Exchange or cloud with Microsoft 365, please confirm that your IT team has taken the following steps:

  1. Install the patches released Tuesday the 14th of March 2023.

  2. Consider, especially if you are unable to patch promptly, implementing further technical mitigations, such as:

    a) blocking TCP 445/SMB outbound on your firewall b) adding high-value accounts (like administrator, finance, and executive team members) to the ‘Protected Users Security Group’

  3. Execute a script from Microsoft to identify malicious emails if you believe that you may have been targeted or wish to confirm if you have been compromised or not. Microsoft has also released guidance for secrutiy teams investigating potential compromise.

For further information or assistance in understanding or measuring this risk to your organisation please contact us for a session with one of our cyber risk consultants.

Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our cydea.tools site.