Number: AL23-002
Date: March 15, 2023
Audience
This Alert is intended for IT professionals and managers of notified organizations.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
On March 14, 2023, Microsoft published advisories highlighting several critical vulnerabilitiesFootnote 1Footnote 2. One of those advisories, CVE-2023-23397, disclosed a vulnerability impacting Microsoft Outlook and highlighted it has been exploited in the wildFootnote 3Footnote 4. Open source has further reported that this zero-day vulnerability was exploited by sophisticated actorsFootnote 2.
CVE-2023-23397 allows a threat actor to send a specially crafted email with a malicious payload that will cause the victim’s Outlook client to automatically connect to a Universal Naming Convention (UNC) location under the actor’s control to receive the Net-NTLMv2 user’s password hashFootnote 2. This disclosure of credentials would permit further methods of exploitationFootnote 5.
Exploitation can occur prior to the email being opened or previewed by the user. The Cyber Center can confirm successful reproduction of a payload invoking the exploit.
Recommended actions
The Cyber Centre recommends patching immediatelyFootnote 6. If that is not possible, some or all of the following mitigations and actions should be performed as quickly as possible:
- Block TCP 445/SMB outbound from your networks to prevent inadvertent communications to the threat actor resulting from this exploit.
- Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanismFootnote 7.
- Restrict the use of NTLMFootnote 8.
- Periodically run a script provided by Microsoft to detect potentially malicious messaging items (mail, calendar and tasks)Footnote 9.
Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, email (contact@cyber.gc.ca) or telephone (1-833-CYBER-88 or 1-833-292-3788).