Administrators should apply the script to determine if they have been affected by the vulnerability and to remediate it. Microsoft has provided a script to identify and clean up or remove Exchange messages with UNC paths in message properties.It is particularly useful for high-value accounts, such as domain administrators. This approach simplifies troubleshooting compared to other methods of disabling NTLM. Add users to the “Protected Users Security Group” in Active Directory to prevent NTLM as an authentication mechanism.This action prevents the transmission of NTLM authentication messages to remote file shares, helping to address CVE-2023-23397. Administrators should block TCP 445/SMB outbound traffic to the internet from the network using perimeter firewalls, local firewalls, and VPN settings.To better protect your organization, we recommend the following steps in accordance with Microsoft’s advice: Hornetsecurity’s users are protected by the Spam and Malware Protection and Advanced Threat Protection services against inbound threats. The attacker can then relay this information to another service and authenticate as the victim, further compromising the system. This results in the leakage of the victim’s Net-NTLMv2 hash, a challenge-response protocol used for authentication in Windows environments. It triggers a connection from the victim to a location controlled by the attacker. The exploit is initiated by fetching and processing a malicious email by the Outlook client, potentially leading to exploitation even before the email is displayed in the preview pane. Hornetsecurity detects emails that exploit the vulnerability and quarantines them to prevent emails from reaching the victim’s inbox. This malicious email enables the attacker to gain unauthorized access to the recipient’s credentials. The vulnerability, identified as CVE-2023-23397 with a CVSS score of 9.8, permits a remote, unauthorized attacker to compromise systems simply by transmitting a specifically crafted email. A severe security vulnerability has been discovered in Microsoft Outlook, which is currently being exploited by cybercriminals.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |