Fancy Bear Exploits Outlook Flaw to Hijack Microsoft Exchange
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
The flaw CVE-2023-23397 (CVSS score 9.8) when successfully exploited allows hackers to access targets’ email accounts to retrieve ‘’high-value information’’, revealed Polish Cyber Command , which partnered with Microsoft in this investigation.
The investigation further revealed that without any user interaction, the vulnerability can be exploited with a specially crafted message to the victim. ‘’The user does not need to interact with the message: if Outlook on Windows is open when the reminder is triggered, it allows exploitation,’’ Microsoft said .
The flaw not only allows the theft of sensitive information, but also allows hackers to steal NTLMv2 hashes, thus granting system privileges. Using owner privilege, APT28 changed mailbox folder permissions, and initiated lateral movement in the compromised environment to not only steal information but also target other members of the same organization.
The flaw affects all versions of Outlook for Windows, except Outlook for Android, iOS, Mac, and users who use Outlook on the web (OWA) without using the Outlook client. According to the tech giant, APT28 is believed to have been exploiting this vulnerability since April 2022.
Later in March 2023, Microsoft identified this critical elevation of privilege vulnerability in Outlook on Windows and issued patches for this zero-day bug.
The company also revealed the other publicly available vulnerabilities exploited by APT28, like WinRAR CVE 2023-38831 and the MSHTML Remote Code Execution CVE 2021-40444 .
Microsoft urged all users to apply the latest available security updates, reset passwords of compromised accounts, and enable multi-factor authentication (MFA) for all users.
Okta Says October 2023 Data Breach Impacts All Customer Support Users
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
Okta’s ongoing investigation into the October Help Center breach revealed that hackers had stolen all customer support system users’ information rather than the previously estimated 1 percent.
In the beginning of November, the company disclosed that unknown threat actors gained access to a limited number of customer support system files, impacting only 134 customers .
However, last week, in an incident update notification, Okta’s CSO, David Bradbury, revealed that hackers had accessed the name and email addresses of all Okta support system users.
‘’All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident,’’ revealed Bradbury .
The stolen reports are said to contain fields for names, emails, phone numbers, address, company name, username, SAML Federation ID, login details, and last password change/reset. However, for 99.6% of users listed in the report the only contact information that was revealed was their full name and email address. User credentials or sensitive personal data was not a part of the stolen data, assured the company.
The notification also revealed that the breach extended to reports and support cases, which included contact information for all Okta certified users and some Okta Customer Identity Cloud (CIC) customers. Data of some employees was also a part of this breach.
While no evidence was found of any misuse of the stolen data, the company believes that the customers might be targeted via phishing or social engineering attacks. Thus, it is imperative that all Okta customers deploy multi factor authentication (MFA) and use phishing resistant authenticators, to enhance security.
It also revealed that it had enlisted third-party digital forensics experts to assist in its investigation, and would be notifying the impacted customers.
