More evidence of Russian intelligence exploiting old Outlook flaw

Cybersecurity researchers have discovered another campaign in which hackers associated with Russia’s military intelligence are exploiting a vulnerability in Microsoft software to target critical entities, including those in NATO member countries.

According to a report by Palo Alto Networks’ Unit 42, the Russian threat actor known as Fancy Bear or APT28 breached Microsoft Outlook over the past two years to spy on at least 30 organizations within 14 nations “that are likely of strategic intelligence value to the Russian government and its military.”

Tracked as CVE-2023-23397, the flaw in Outlook allows hackers to gain unauthorized access to email accounts within Microsoft Exchange servers. Microsoft patched the flaw in the spring.

In the most recent campaign, analyzed by Unit 42 in September and October of this year, the group targeted organizations within NATO member countries as well as entities in Ukraine, Jordan, and the United Arab Emirates.

The targets include ministries, defense and energy facilities, and transportation and telecommunication companies, researchers said. Attackers also aimed for at least one NATO Rapid Deployable Corps, the alliance’s high-readiness commands.

This is the third report this week about Russian hackers exploiting the Microsoft Outlook flaw. The others:

Microsoft and the Polish cybersecurity agency published joint research claiming that Fancy Bear exploited the Outlook vulnerability to gain access to unspecified mailboxes containing “high-value information.”
Proofpoint published a separate report, stating that it observed phishing activity in which APT28 used the Outlook bug in high-volume campaigns to target entities in Europe and North America.

Researchers are urging high-risk organizations to be vigilant about patching Outlook, especially because the Russian hackers continue to exploit CVE-2023-23397 despite the publicity it has received.