Fighting Ursa Aka APT28: Illuminating a Covert Campaign
In three campaigns over the past 20 months, Russian APT Fighting Ursa has targeted over 30 organizations of likely strategic intelligence value using CVE-2023-23397.
BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities | Recorded Future
Recorded Future's Insikt Group, in partnership with Ukraine's Computer Emergency Response Team (CERT-UA), has uncovered a campaign targeting high-profile entities in Ukraine that was cross-correlated with a spearphishing campaign uncovered by Recorded Future’s Network Traffic Intelligence. The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers (an open-source webmail software), using CVE-2020-35730, without engaging with the attachment. We found that the campaign overlaps with historic BlueDelta activity exploiting the Microsoft Outlook zero-day vulnerability CVE-2023-23397 in 2022.
Analysis of In-the-wild Attack Samples Exploiting Outlook Privilege Escalation Vulnerability
QiAnXin Threat Intelligence Center's RedDrip team tracked the relevant events and discovered a batch of attack samples exploiting the CVE-2023-23397 vulnerability. After analyzing these samples and C2 servers, we believe that the exploitation of this vulnerability in the wild has been ongoing since March 2022. In the later stages of the attack, the attackers used Ubiquiti-EdgeRouter routers as C2 servers, and the victims of the attack activity were from multiple countries.
Guidance for investigating attacks using CVE-2023-23397
This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.
Everything We Know About CVE-2023-23397
Huntress is tracking CVE-2023-23397, a 0-day that impacts Microsoft Outlook and requires no user interaction to expose user credential hashes.
Microsoft patches zero-days used by state-sponsored and ransomware threat actors (CVE-2023-23397, CVE-2023-24880)
For March 2023 Patch Tuesday Microsoft has fixed 2 vulnerabilities actively exploited in the wild (CVE-2023-23397, CVE-2023-24880).
Analysis of In-the-wild Attack Samples Exploiting Outlook Privilege Escalation Vulnerability
QiAnXin Threat Intelligence Center's RedDrip team tracked the relevant events and discovered a batch of attack samples exploiting the CVE-2023-23397 vulnerability. After analyzing these samples and C2 servers, we believe that the exploitation of this vulnerability in the wild has been ongoing since March 2022. In the later stages of the attack, the attackers used Ubiquiti-EdgeRouter routers as C2 servers, and the victims of the attack activity were from multiple countries.
Guidance for investigating attacks using CVE-2023-23397
This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397.
Everything We Know About CVE-2023-23397
Huntress is tracking CVE-2023-23397, a 0-day that impacts Microsoft Outlook and requires no user interaction to expose user credential hashes.
Microsoft patches zero-days used by state-sponsored and ransomware threat actors (CVE-2023-23397, CVE-2023-24880)
For March 2023 Patch Tuesday Microsoft has fixed 2 vulnerabilities actively exploited in the wild (CVE-2023-23397, CVE-2023-24880).