top of page
  • Clipeus

APT28 Exploits CVE-2023-23397

On 4 December 2023, Microsoft and the Polish Cyber Command reported an increase in cyber activities consistent with exploitation in the wild of CVE-2023-23397, a critical (CVSS: 9.1) privilege escalation vulnerability in Microsoft Outlook.

Despite the vulnerability being patched during the March "Patch Tuesday," intelligence indicates that the attack surface remains significant, particularly following the zero-click fix bypass (CVE-2023-29324) reported in May 2023.

Attacks in the wild were attributed to APT28 (a.k.a. "Fancybear" or "Strontium"), a Russian state-sponsored actor linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

According to available reports, targeted sectors include government, energy, transportation, and other key organizations in the United States, Europe, and the Middle East. The Polish Cyber Command also reports attacks against Polish state-owned and private organizations. According to the Polish report, CVE-2023-23397 was leveraged as a primary vector to violate targeted mailboxes—presumably for espionage purposes. Alternatively, the Russian actor resorted to password-spraying attacks.

A separate report by Palo Alto Networks Unit 42 indicates that APT28 attacks were observed across various NATO countries and a handful of non-NATO ones, including Ukraine, Jordan, and the United Arab Emirates (UAE). The same source reports primary attack targets were the energy, transportation, telecommunications, and information technology sectors as well as organizations involved in the military industrial base and government.

Such targeting appears to be consistent with Russian espionage priorities. A potential interpretation of the 'prioritization' of the campaign in Jordan and the UAE may reflect recent Russian diplomatic missions across the Middle East.

Recent Posts

See All

AcidPour Wiper Targets Linux Devices in Ukraine

A new iteration of the AcidRain wiper malware, dubbed AcidPour, has been identified by SentinelOne's threat intelligence division, SentinelLabs. AcidRain, linked to Russian military intelligence, gain


Los comentarios se han desactivado.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page