CVE-2023-23397. The Exploit That Keeps on Exploiting

APT28 ‎actors‏ ‎have ‎been ‎exploiting ‎CVE-2023-23397, ‎a‏ ‎critical ‎elevation‏ ‎of‏ ‎privilege ‎vulnerability ‎in‏ ‎Microsoft ‎Outlook‏ ‎on ‎Windows, ‎to ‎facilitate‏ ‎NTLMv2‏ ‎credential ‎leaks.‏ ‎This ‎vulnerability,‏ ‎which ‎was ‎a ‎zero-day ‎at‏ ‎the‏ ‎time ‎of‏ ‎its ‎initial‏ ‎exploitation ‎by ‎APT28 ‎in ‎early‏ ‎2022,‏ ‎allows‏ ‎Net-NTLMv2 ‎hashes‏ ‎to ‎be‏ ‎leaked ‎to‏ ‎actor-controlled‏ ‎infrastructure.

NTLMv2 ‎Credential‏ ‎Harvesting

To ‎exploit ‎CVE-2023-23397 ‎and ‎harvest‏ ‎NTLMv2 ‎credentials,‏ ‎APT28‏ ‎actors ‎have ‎been‏ ‎using ‎two‏ ‎publicly ‎available ‎tools:

📌 http://ntlmrelayx.py: This ‎tool‏ ‎is‏ ‎part ‎of‏ ‎the ‎Impacket‏ ‎suite, ‎a ‎collection ‎of ‎Python‏ ‎classes‏ ‎for ‎working‏ ‎with ‎network‏ ‎protocols. ‎APT28 ‎actors ‎have ‎used‏ ‎http://ntlmrelayx.py to‏ ‎execute‏ ‎NTLM ‎relay‏ ‎attacks ‎[T1557]‏ ‎and ‎facilitate‏ ‎the‏ ‎leakage ‎of‏ ‎NTLMv2 ‎credentials.

📌 Responder: ‎Responder ‎is ‎a‏ ‎tool ‎designed‏ ‎to‏ ‎capture ‎and ‎relay‏ ‎NTLMv2 ‎hashes‏ ‎by ‎setting ‎up ‎a‏ ‎rogue‏ ‎authentication ‎server‏ ‎[T1556]. ‎APT28‏ ‎actors ‎have ‎installed ‎Responder ‎on‏ ‎compromised‏ ‎Ubiquiti ‎EdgeRouters‏ ‎to ‎collect‏ ‎NTLMv2 ‎credentials ‎from ‎targeted ‎Outlook‏ ‎accounts.

The‏ ‎FBI‏ ‎has ‎collected‏ ‎evidence ‎of‏ ‎APT28's ‎CVE-2023-23397‏ ‎exploitation‏ ‎activity ‎on‏ ‎numerous ‎compromised ‎EdgeRouters.

Logging ‎and ‎Detection

📌 When‏ ‎using ‎the‏ ‎default‏ ‎configurations, ‎Responder ‎logs‏ ‎its ‎activity‏ ‎to ‎the ‎following ‎files:

📌 Responder-Session.log

📌 Responder.db

Network‏ ‎defenders‏ ‎and ‎users‏ ‎can ‎search‏ ‎for ‎these ‎log ‎files, ‎as‏ ‎well‏ ‎as ‎the‏ ‎presence ‎of‏ ‎http://ntlmrelayx.py and ‎Responder ‎tooling, ‎on ‎EdgeRouters‏ ‎to‏ ‎identify‏ ‎potential ‎APT28‏ ‎activity ‎related‏ ‎to ‎the‏ ‎exploitation‏ ‎of ‎CVE-2023-23397.

Mitigation‏ ‎and ‎Investigation

To ‎mitigate ‎the ‎risk‏ ‎of ‎CVE-2023-23397‏ ‎exploitation‏ ‎and ‎NTLMv2 ‎credential‏ ‎leaks, ‎network‏ ‎defenders ‎and ‎users ‎should‏ ‎take‏ ‎the ‎following‏ ‎steps:

📌 Apply ‎the‏ ‎Microsoft ‎patch: Microsoft ‎has ‎released ‎a‏ ‎patch‏ ‎to ‎address‏ ‎CVE-2023-23397. ‎Ensure‏ ‎that ‎all ‎Outlook ‎installations ‎are‏ ‎updated‏ ‎with‏ ‎the ‎latest‏ ‎security ‎updates.

📌 Scan‏ ‎for ‎compromised‏ ‎EdgeRouters:‏ ‎Use ‎the‏ ‎provided ‎information ‎to ‎scan ‎EdgeRouters‏ ‎for ‎the‏ ‎presence‏ ‎of ‎http://ntlmrelayx.py, Responder, ‎and‏ ‎their ‎associated‏ ‎log ‎files. ‎Identify ‎and‏ ‎isolate‏ ‎any ‎compromised‏ ‎routers ‎for‏ ‎further ‎investigation.

📌 Reset ‎compromised ‎credentials: ‎If‏ ‎NTLMv2‏ ‎credential ‎leaks‏ ‎are ‎detected,‏ ‎reset ‎the ‎affected ‎user ‎accounts‏ ‎and‏ ‎implement‏ ‎additional ‎security‏ ‎measures, ‎such‏ ‎as ‎multi-factor‏ ‎authentication.

📌 Implement‏ ‎recommended ‎mitigation:‏ ‎Follow ‎the ‎recommended ‎mitigation ‎for‏ ‎compromised ‎EdgeRouters‏ ‎,‏ ‎including ‎performing ‎a‏ ‎hardware ‎factory‏ ‎reset, ‎upgrading ‎to ‎the‏ ‎latest‏ ‎firmware ‎version,‏ ‎and ‎changing‏ ‎default ‎usernames ‎and ‎passwords.