A Russia-linked threat actor is exploiting a critical Net-NTLMv2 hash leak vulnerability in Microsoft Outlook email service to gain access to email accounts on Exchange servers, Microsoft’s threat intelligence team warned.

“Microsoft has identified a Russian-based nation-state threat actor tracked as Forest Blizzard (STRONTIUM, APT28, FANCYBEAR) actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers,” the team wrote in a series of messages on X (formerly Twitter).

Forest Blizzard primarily targets government, energy, transportation, and non-governmental organizations in the US, Europe, and the Middle East. The threat actor also commonly employs other known public exploits in their attacks, such as a file extension spoofing bug in WinRAR (CVE-2023-38831) or an RCE flaw in Microsoft MSHTML (CVE-2021-40444), among others.

According to an advisory on the attacks targeting entities in Poland published by the Polish Cyber Command (DKWOC), the first stage of the attack involves the threat actors using brute force techniques to gain access to the target mailbox or the exploitation of the above-mentioned CVE-2023-23397 vulnerability.

Upon compromising the victim’s mailbox, the attackers modify folder permissions within the account.

“In most cases, the modifications are to change the default permissions of the “Default” group (all authenticated users in the Exchange organization) from “None” to “Owner”,” the advisory said.

In the attacks observed by the Polish cyber experts, the threat actor altered folder permissions in high-value mailboxes thus obtaining access to sensitive information via any compromised email account in the Exchange organization, using the Exchange Web Services (EWS) protocol.

“It should be emphasized that the introduction of such modifications allows for the maintenance of unauthorized access to the contents of the mailbox even after losing direct access to it. Another indicator that can be used to detect malicious activity is when and how permissions are modified. A characteristic feature of the described activity is the modification of permissions to all folders within the mailbox in a relatively short time (a few seconds), which physically excludes the possibility of making these changes manually by the user,” POL Cyber Command noted.

According to recent data from The ShadowServer Foundation organization, there are more than 20,000 internet-exposed Microsoft Exchange servers vulnerable to multiple security flaws, including CVE-2020-0688, CVE-2021-26855 (ProxyLogon), CVE-2021-27065 (part of the ProxyLogon exploit chain), CVE-2022-41082 (part of the ProxyNotShell exploit chain), CVE-2023-21529, CVE-2023-36745, and CVE-2023-36439.