US Cyber Command posted on Twitter an alert about cyber attacks exploiting the CVE-2017-11774 vulnerability in Outlook.
Yesterday I was using Twitter when I noticed the following alert issued by the account managed by the US Cyber Command:
USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: 'hxxps://customermgmt.net/page/macrocosm' #cybersecurity #infosec
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 2, 2019
The alert refers to an ongoing activity aimed at infecting government networks by exploiting the CVE-2017-11774 Outlook vulnerability.
The issue is a security feature bypass vulnerability that affects Microsoft Outlook. According to Microsoft, Outlook improperly handles objects in memory, an attacker could exploit the vulnerability to execute arbitrary commands.
“In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability, and then convince users to open the document file and interact with the document.” reads the security advisory published by Microsoft.
The CVE-2017-11774 flaw was reported by SensePost researchers in 2017 and was addressed by Microsoft in the October 2017 Patch Tuesday.
Security experts at Chronicle link the malware samples involved in the attacks to Iran-linked APT33 group (aka Elfin), the same threat actor that developed the dreaded Shamoon malware.
The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production. Most of the targets were in the Middle East, others were in the U.S., South Korean, and Europe.
In March, Symantec published a report detailing the activities of the APT33 group that was targeting organizations in Saudi Arabia and the United States. Experts at RecordedFuture recently discovered that the Iran-linked cyberespionage group has updated its infrastructure after the publication of a report detailing its activities.
Chronicle Head of Applied Intelligence Brandon Levene linked the uploaded samples to APT33 and Shamoon2.
“The executables uploaded by CyberCom appear to be related to Shamoon2 activity, which took place around January of 2017. These executables are both downloaders that utilize powershell to load the PUPY RAT. Additionally, CyberCom uploaded three tools likely used for the manipulation and of exploited web servers.” explained Brandon Levene, Head of Applied Intelligence at Chronicle.”Each tool has a slightly different purpose, but there is a clear capability on the part of the attacker to interact with servers they may have compromised. If the observation of CVE-2017-11774 holds true, this sheds some light on how the Shamoon attackers were able to compromise their targets. It was highly speculated that spear phishes were involved, but not a lot of information around the initial vectors was published.”
The CVE-2017-11774 vulnerability was used by Iran-linked threat actors since 2018, some attacks were attributed to the APT33 cyberepionage group.
In late December, experts observed threat actors targeting web servers and leveraging the CVE-2017-11774 to infect their users.
“Once the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or Office 365 that is not protected with multi-factor authentication. The adversary leverages the stolen credentials and a tool like RULER to deliver [CVE-2017-11774] exploits through Exchange’s legitimate features,” stated a report published by FireEye in December. ” SensePost’s RULER is a tool designed to interact with Exchange servers via a messaging application programming interface (MAPI), or via remote procedure calls (RPC), both over HTTP protocol.”
In the same period, December 2018, a new variant of the Shamoon malware, aka DistTrack, was uploaded to VirusTotal from Italy.A second sample of the Shamoon wiper was uploaded to Virus total on December 13, from the Netherlands, and the third sample of Shamoon 3 was uploaded on December 23 to the VirusTotal from France.
According to Levene, the exploitation of the CVE-2017-11774 in attacks in the wild could give us an indication of the attack chain behind APT33/Shamoon infections.
At the end of June, US DHS CISA agency warned of increased cyber-activityfrom Iran aimed at spreading data-wiping malware through password spraying, credential stuffing, and spear-phishing.
The attacks are targeting U.S. industries and government agencies.