Unveiling the Exploits: Microsoft Outlook and WinRAR Vulnerabilities Exploited by Forest Blizzard

Microsoft revealed on Monday that it had uncovered Kremlin-backed nation-state activity exploiting a now-patched critical security flaw in its Outlook email service, allowing unauthorized access to victims’ accounts within Exchange servers. The intrusions were attributed to a threat actor dubbed Forest Blizzard (formerly Strontium), also known as APT28, BlueDelta, Fancy Bear, and various other aliases. The security vulnerability, CVE-2023-23397, rated at a CVSS score of 9.8, enabled a critical privilege escalation bug, subsequently patched by Microsoft in March 2023. This flaw could potentially allow an adversary to access a user’s Net-NTLMv2 hash, facilitating a relay attack against another service to authenticate as the user. The Polish Cyber Command (DKWOC) noted that the goal was to obtain unauthorized access to mailboxes belonging to public and private entities in the country. The adversary, identified as Forest Blizzard, then proceeded to modify folder permissions within the victim’s mailbox, granting access to authenticated users in the Exchange organization. This modification enabled the threat actor to extract valuable information from high-value targets. Microsoft had previously disclosed that the vulnerability had been exploited by Russia-based threat actors targeting various sectors across Europe since April 2022. In June 2023, cybersecurity firm Recorded Future detailed a spear-phishing campaign orchestrated by APT28, exploiting vulnerabilities in Roundcube webmail software concurrently with the Microsoft Outlook vulnerability. The National Cybersecurity Agency of France (ANSSI) also attributed attacks to Forest Blizzard, targeting government entities and businesses using various vulnerabilities, including CVE-2023-23397. Forest Blizzard’s activities extended to utilizing the WinRAR flaw (CVE-2023-38831) to steal browser login data. Furthermore, Proofpoint observed high-volume phishing campaigns in late March and September 2023, leveraging these vulnerabilities to target organizations in Europe and North America. Despite the patching of vulnerabilities, Forest Blizzard persists, relying on unpatched systems for continued success.