Russian GRU Hackers Target Polish Outlook InboxesMilitary Intelligence Exploits Microsoft Flaw Patched In March
Russian military intelligence hackers active in Poland are exploiting a patched flaw in Microsoft Outlook, said cyber defenders from Redmond and Warsaw.
U.S. and British intelligence have assessed that Forest Blizzard is "almost certainly" part of the Russian General Staff Main Intelligence Directorate, better known as the GRU.
Polish Cyber Command said on Sunday that it had detected "malicious actions against public and private entities."
Relations between Poland and Russia further deteriorated following the Kremlin's February 2022 invasion of Ukraine, and Poland acted as a staging ground for military aid and refugees. Former Russian President Dmitry Medvedev reportedly wrote on Sunday that Moscow considers Poland to be a "dangerous enemy" and warned that its actions could "could lead to the death of Polish statehood in its entirety."
The flaw, tracked as CVE-2023-23397, is a Microsoft Outlook elevation of privilege vulnerability that allows a remote, unauthenticated attacker to send a specially crafted email that leaks the targeted user's hashed Windows account password, allowing the attacker to authenticate into other systems. This type of attack is known as Pass the Hash. Attackers are also using password-spraying attacks to gain access, a technique in which hackers attempt to log onto multiple accounts with the same password.
Polish Cyber Command said the hackers modify the permissions of high-value hacked Outlook inboxes to make messages visible to other Exchange group users as a way of maintaining access should they lose direct access. Hackers also use the Outlook API, Microsoft Exchange Web Services, to exfiltrate the contents of those high-value inboxes.
Microsoft patched the flaw in March. Threat intel firm Mandiant at the time warned that GRU hackers had been exploiting the vulnerability for nearly a year, deploying it against government agencies and logistics, oil, defense and transportation industries located in Poland, Ukraine, Romania and Turkey (see: Microsoft Fixes Russia-Exploited Zero-Day).