Rewterz Threat Alert –Microsoft Outlook Vulnerability Possibly Exploited by Threat Actors to Leak NTLM Passwords

Severity

Medium

Analysis Summary

Researchers have discovered that a now-patched vulnerability in Microsoft Outlook could be abused by threat actors to gain access to NT LAN Manager (NTLM) v2 hashed passwords when the victim opens a specially crafted file.

The security flaw is tracked as CVE-2023-35636 and had its patch released as part of Microsoft’s Patch Tuesday updates for December 2023. In a phishing scenario, a threat actor could exploit the vulnerability by sending a specially crafted file to the targeted user and convince the user to open it. Meanwhile, in a web-based scenario, a threat actor could host a website or use a compromised website that contains a specially crafted file made to abuse the flaw. In simpler words, the attacker would have to trick users into clicking on a link embedded in a phishing email or sent through an instant messaging service, and finally deceive them into opening the file in question.

CVE-2023-35636 is found in the calender-sharing function in the Outlook email app in which a malicious email message is crafted by adding two headers named “Content-Class” and “x-sharing-config-url” with specific values to expose a victim’s NTLM during authentication. Security researchers said that the NTLM hashes could be leaked by taking advantage of Windows Performance Analyzer (WPA) and Windows File Explorer, both of these attack methods are still not patched.

Interestingly, WPA tries to authenticate using NTLM v2 via the open web. Normally, NTLM v2 should be used when attempting an authentication against internal IP address-based services. Still, NTLM v2 hash becomes vulnerable to offline brute force attacks when passing through the open internet.

Microsoft announced in October 2023 that it has plans to discontinue NTLM in Windows 11 and instead implement Kerberos for better security since it does not support cryptographic methods and is vulnerable to relay attacks.

Impact

• Information Disclosure
• Credential Theft

Indicators of Compromise

CVE

CVE-2023-35636

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Beware of phishing emails and do not click on links if the sender is unknown.
• Organizations must test their assets for the aforementioned vulnerabilities and apply the available security patches or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.