CVE-2023-23397. The Exploit That Keeps on Exploiting

APT28 actors have been exploiting CVE-2023-23397, a critical elevation of privilege vulnerability in Microsoft Outlook on Windows, to facilitate NTLMv2 credential leaks. This vulnerability, which was a zero-day at the time of its initial exploitation by APT28 in early 2022, allows Net-NTLMv2 hashes to be leaked to actor-controlled infrastructure.

NTLMv2 Credential Harvesting

To exploit CVE-2023-23397 and harvest NTLMv2 credentials, APT28 actors have been using two publicly available tools:

📌 ntlmrelayx.py: This tool is part of the Impacket suite, a collection of Python classes for working with network protocols. APT28 actors have used ntlmrelayx.py to execute NTLM relay attacks [T1557] and facilitate the leakage of NTLMv2 credentials.

📌 Responder: Responder is a tool designed to capture and relay NTLMv2 hashes by setting up a rogue authentication server [T1556]. APT28 actors have installed Responder on compromised Ubiquiti EdgeRouters to collect NTLMv2 credentials from targeted Outlook accounts.

The FBI has collected evidence of APT28's CVE-2023-23397 exploitation activity on numerous compromised EdgeRouters.

Logging and Detection

📌 When using the default configurations, Responder logs its activity to the following files:

📌 Responder-Session.log

📌 Responder.db

Network defenders and users can search for these log files, as well as the presence of ntlmrelayx.py and Responder tooling, on EdgeRouters to identify potential APT28 activity related to the exploitation of CVE-2023-23397.

Mitigation and Investigation

To mitigate the risk of CVE-2023-23397 exploitation and NTLMv2 credential leaks, network defenders and users should take the following steps:

📌 Apply the Microsoft patch: Microsoft has released a patch to address CVE-2023-23397. Ensure that all Outlook installations are updated with the latest security updates.

📌 Scan for compromised EdgeRouters: Use the provided information to scan EdgeRouters for the presence of ntlmrelayx.py, Responder, and their associated log files. Identify and isolate any compromised routers for further investigation.

📌 Reset compromised credentials: If NTLMv2 credential leaks are detected, reset the affected user accounts and implement additional security measures, such as multi-factor authentication.

📌 Implement recommended mitigation: Follow the recommended mitigation for compromised EdgeRouters , including performing a hardware factory reset, upgrading to the latest firmware version, and changing default usernames and passwords.