A day after it released patches for the vulnerability as part of its Patch Tuesday updates, Microsoft acknowledged on Wednesday that a recently discovered critical security flaw in Exchange Server had been actively exploited in the wild.
The problem was identified as a case of privilege escalation affecting the Exchange Server and is tracked as CVE-2024-21410 ( CVSS score: 9.8 ).
In a statement released this week, the company claimed that an attacker could use an NTLM client like Outlook to target it.
To gain access to the Exchange server as the victim client and carry out operations on its behalf, the leaked credentials can then be relayed there.
Redmond added that if the flaw is successfully exploited, an attacker may be able to relay a user’s leaked Net-NTLMv2 hash to an Exchange Server that is vulnerable and authenticate as the user.
The tech behemoth changed its Exploitability Assessment to” Exploitation Detected” in a bulletin update, noting that the Exchange Server 2019 Cumulative Update 14 ( CU14 ) update now automatically enabled Extended Protection for Authentication ( EPA ).
It is currently unknown what the exploitation’s specifics are or who the threat actors who might be abusing the flaw are. However, Russian state-affiliated hacking teams like APT28 ( also known as Forest Blizzard ) have a history of staging NTLM relay attacks by taking advantage of Microsoft Outlook flaws.
Trend Micro accused the target of NTLM relay attacks on high-value entities earlier this month, at least since April 2022. Organizations involved in labor, social welfare, finance, parenthood, local city councils, energy, defense, transportation, and foreign affairs were all the targets of the intrusions.
The addition of CVE-2024-21410 to the two other Windows flaws that Microsoft patched this week and actively weaponized in real-world attacks are the ones listed in the CVSS score of 7.6 and 21412, respectively.
An advanced persistent threat called Water Hydra ( also known as DarkCasino ), which previously used zero-day WinRAR to deploy the DarkMe trojan, has been blamed for the CVE-2024- 21412 bug.
Trend Micro claimed that the group “used internet shortcuts disguised as a JPEG image that, when chosen by the user, allows the threat actor to exploit CVE-2024-2112.” The Windows host can then be completely compromised as a result of the group’s attack chain by getting around Microsoft Defender SmartScreen.
CVE-2024-2113 is another serious flaw in the Outlook email software that could lead to remote code execution by easily getting around security measures like Protected View, according to Microsoft’s Patch Tuesday update.
The problem, known as MonikerLink by Check Point, “allows for a wide and serious impact, ranging from arbitrary code execution to leaking local NTLM credential information.”
By adding an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers ( e .g., “file: ///10.10.111.111-test” ), the vulnerability is caused by incorrect parsing of hyperlinks that are marked as such. rtf! ” Something”
The cybersecurity company claimed that the bug “allows for the leak of local NTLM information as well as remote code execution and more as an attack vector.” When used as an attack vector to target other Office applications, it may also get around the Office Protected View.