In a recent warning, Microsoft's Threat Intelligence team alerted users to the activities of APT28, a Russian state-sponsored hacking group also known as "Fancybear" or "Strontium." The group has been actively exploiting a critical vulnerability in Microsoft Outlook, known as CVE-2023-23397, to gain unauthorized access to Microsoft Exchange accounts and steal sensitive information.

The Outlook flaw, initially identified as a zero-day vulnerability in March 2023, allows for the elevation of privilege (EoP) on Windows systems. Microsoft promptly released a security fix to address the issue during the March 2023 Patch Tuesday. However, it was discovered that APT28 had been exploiting the vulnerability since April 2022 by deploying specially crafted Outlook notes designed to steal NTLM hashes and force authentication to attacker-controlled SMB shares, all without user interaction.

By leveraging their elevated privileges, APT28 was able to move laterally within their victims' environments. Their tactics included altering Outlook mailbox permissions to execute targeted email theft. Despite the availability of security updates and mitigation recommendations, the attack surface remained significant. Additionally, a subsequent fix released in May (CVE-2023-29324) was bypassed, exacerbating the situation.

The severity of the attacks was underscored by Recorded Future's warning in June, indicating that APT28 had likely used the Outlook flaw against key Ukrainian organizations. Furthermore, in October, the French cybersecurity agency (ANSSI) revealed that these Russian hackers had deployed zero-click attacks against government entities, businesses, universities, research institutes, and think tanks in France.

Microsoft's recent warning emphasized that the APT28 group continues to exploit the vulnerability CVE-2023-38831 in WinRAR, indicating that there are still systems vulnerable to this critical EoP flaw.

The tech giant expressed its appreciation for the efforts made by the Polish Cyber Command Center (DKWOC) in detecting and stopping these attacks. DKWOC also published a post detailing APT28's activities involving CVE-2023-38831.

In light of APT28's resourcefulness and adaptability, Microsoft advises users to adopt a comprehensive defense strategy that includes reducing the attack surface across all interfaces and regularly updating all software products with the latest security patches.

The company urges users to remain vigilant and take action to protect their systems and sensitive information from these persistent state-sponsored hacking campaigns.