TACTICAL CYBER INTELLIGENCE REPORT
Actor Type: II, III
Serial: TR-18-103-001
Countries: IN, CN
Report Date: 20180413
Microsoft Outlook Vulnerability
A vulnerability has been disclosed in Microsoft Outlook that allows attackers to steal credentials just by convincing the victim to view an email. This in turn will not permit a user further interaction.
Impact
The Microsoft outlook vulnerability titled as CVE-2018-0950[1] allows attackers to steal sensitive information by convincing the victim to view or preview the email in Outlook. The vulnerability exploits the way Microsoft Outlook renders remotely hosted OLE content when an RTF (Rich Text Format) email message is previewed and automatically initiates SMB connections.
The attack scenario includes a remote attacker exploiting the vulnerability by sending an RTF email to the victim. The malicious message contains an image file (OLE object) that is loaded from a remote SMB server under the control of the attackers.
Since Microsoft Outlook automatically renders OLE content, it will initiate an automatic authentication with the attacker's controlled remote server over SMB protocol using single sign-on (SSO), handing over the victim's username and NTLMv2 hashed version of the password, potentially allowing the attacker to gain access to the victim's system[2].
This can disclose victim’s:
- IP address
- Domain name
- Username
- Password hash
If the victim is using a weak password, this hash can be used to crack the password.
"It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above," Dormann said. "For example, if an email message has a UNC-style link that begins with "\\", clicking the link initiates an SMB connection to the specified server."
Prevention and Mitigation Strategies
Microsoft has released a patch. It is important to note that this Microsoft patch will not ensure 100% protection. More controls are required to completely mitigate the threat. Our members are advised to conduct the following:
- Apply the patch from https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0950
- Block specific ports (445/tcp, 137/tcp, 139/tcp, along with 137/udp and 139/udp) used for incoming and outgoing SMB sessions.
- Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
- Always use complex passwords
- Do not open and click on suspicious emails and links
[1] https://nvd.nist.gov/vuln/detail/CVE-2018-0950
[2] https://thehackernews.com/2018/04/outlook-smb-vulnerability.html
Comments