A hacker gang associated with Russia’s military intelligence service GRU used an Outlook zero-day vulnerability (CVE-2023-23397) to attack European firms. Microsoft has since addressed the issue. Between mid-April and December 2022, less than 15 government, military, energy, and transportation organisations had their networks targeted and breached as a result of assaults that took use of the security weakness.
In order to steal NTLM hashes via NTLM negotiation requests, the hacker gang (identified as APT28, STRONTIUM, Sednit, Sofacy, and Fancy Bear) delivered malicious Outlook notes and tasks that made the targets’ machines authenticate to attacker-controlled SMB shares.