On 4 December 2023, Microsoft and the Polish Cyber Command reported an increase in cyber activities consistent with exploitation in the wild of CVE-2023-23397, a critical (CVSS: 9.1) privilege escalation vulnerability in Microsoft Outlook.
Despite the vulnerability being patched during the March "Patch Tuesday," intelligence indicates that the attack surface remains significant, particularly following the zero-click fix bypass (CVE-2023-29324) reported in May 2023.
Attacks in the wild were attributed to APT28 (a.k.a. "Fancybear" or "Strontium"), a Russian state-sponsored actor linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
According to available reports, targeted sectors include government, energy, transportation, and other key organizations in the United States, Europe, and the Middle East. The Polish Cyber Command also reports attacks against Polish state-owned and private organizations. According to the Polish report, CVE-2023-23397 was leveraged as a primary vector to violate targeted mailboxes—presumably for espionage purposes. Alternatively, the Russian actor resorted to password-spraying attacks.
A separate report by Palo Alto Networks Unit 42 indicates that APT28 attacks were observed across various NATO countries and a handful of non-NATO ones, including Ukraine, Jordan, and the United Arab Emirates (UAE). The same source reports primary attack targets were the energy, transportation, telecommunications, and information technology sectors as well as organizations involved in the military industrial base and government.
Such targeting appears to be consistent with Russian espionage priorities. A potential interpretation of the 'prioritization' of the campaign in Jordan and the UAE may reflect recent Russian diplomatic missions across the Middle East.