Update to yesterday’s Patch Tuesday Bulletin:
This is an evolving situation with attackers expanding and better understanding the exploitation capabilities of this vulnerability.
Spotit SOC is actively developing detection criteria and monitoring appropriate traffic for any signs of exploitation attempts.
This vulnerability is exploited via e-mail to Outlook clients on Windows PC’s. Microsoft has released patches for Outlook 2013, 2016, 2019, and Microsoft 365 (aka O365) versions. Outlook 2010 is likely also vulnerable and will not be patched. The vulnerability does not require any user interaction, and it results in the attacker obtaining the user’s NTLMv2 hash which can then be used to authenticate as the user in other local services.
It looks like Microsoft’s recommendation of blocking TCP 445/SMB will be insufficient as this researcher confirmed the exfiltration will fallback to WebDAV over HTTP when SMB is unavailable.
Microsoft have released an audit script to check for CVE-2023-23397 payloads in Exchange here.
Our advice remains to prioritise patching affected Outlook versions immediately.