Robin’s Newsletter #248

19 March 2023. Volume 6, Issue 12
Critical vulnerabilities in Microsoft Outlook, Samsung chips in Android phones. ALPHV claims ransomware attack against Ring.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Critical vulnerability in Outlook

  • Russian-linked threat actors have been exploiting a vulnerability in Microsoft Outlook to access government, energy, transport and military targets. It was reported to Microsoft by Ukraine’s Computer Emergency Response Team (CERT). Mandiant says they believe the issue to have been exploited for almost a year to gain access to government and critical infrastructure organisation.
  • When triggered, the vulnerability (tracked as CVE-2023-23397) causes Outlook to load files remotely via SMB, which causes the user’s NTLM hash to be passed to the attacker’s server. The attacker can then replay the hash to access other resources - mailboxes, files, etc - protected by this type of authentication.
  • The user doesn’t need to open or interact with the malicious message; it triggers automatically when received by Outlook. This type of ‘no interaction’ issue is extremely attractive to intelligence agencies and cybercriminals alike.
  • The exploit appears to be linked to an attribute specifying the sound to play when a reminder triggers and, bafflingly, can be set by the sender.
  • Microsoft has released a patch, so you should update Outlook (or the whole Office suite) as soon as possible. I’d expect this to be picked up and used by many actors in the coming weeks. For more info on the risk and mitigation options, check out Cydea’s risk advisory.

Interesting stats

$3.31 billion reported losses from investment scams in 2022, including  $2.57 billion of cryptocurrency investment scams (including pig butchering scams), exceeding the  $2.74 billion of losses from Business Email Compromise (BEC) scams in the same period, according to the FBI’s Internet Crime Complain Center (IC3) (PDF). By comparison, just  $34.35 million was lost to ransomware (though this does not include business disruption or remediation costs).

$7,500 claimable by healthcare group Orlando Family Physicians customers who had their social security numbers stolen in a 2021 data breach under a settlement of a class-action lawsuit.

Other newsy bits

And finally

  • Crypto mixer shutdown: Germany, United States, and Europol have taken down cryptocurrency mixer ChipMixer, seizing €44 million in cryptocurrency and 7TB of data. The service allegedly has laundered €2.73 billion of cryptocurrency for ransomware gangs, scammers, and North Korea’s Lazarus group. 

  Robin's Newsletter - Volume 6

  Microsoft Outlook Samsung Pig butchering Business Email Compromise (BEC) Cybercrime National Protective Security Authority (NPSA) Anker