US Cyber Command warns that the Outlook is not so good - Iranians hitting email flaw
Government-backed campaign going after bug that was patched in 2017
An ongoing Iranian government-backed hacking campaign is now trying to exploit a Microsoft Outlook flaw from 2017.
The US Cyber Command has issued an alert that hackers have been actively going after CVE-2017-11774. The flaw is a sandbox escape bug in Outlook that allows an attacker who already possesses the victim's Outlook credentials to change the user's home page. That page, in turn, can have embedded code that downloads and executes malware when Outlook is opened.
USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: 'hxxps://customermgmt.net/page/macrocosm' #cybersecurity #infosec— USCYBERCOM Malware Alert (@CNMF_VirusAlert) July 2, 2019
The timing of this alert raised eyebrows in the security community, as exploitation of CVE-2017-11774 is a favorite technique of APT-33, the Iranian backed hacking group that has re-emerged with a vengeance amidst rising tensions between Washington and Tehran.
"For at least a year, APT33 and APT34 have used this technique with success due to organizations' lack of proper multi-factor e-mail access controls and patching e-mail applications for CVE-2017-11774," the FireEye Advanced Practices Team said in a statement to El Reg.
The attribution of APT33 is particularly important here as the group has a particular way of exploiting the flaw – the attackers will select their target organization and attempt to brute-force as many email accounts as possible with commonly-guessed passwords, then plug those credentials into the CVE-2017-11774 exploit script.
"If Outlook launches something malicious, a common assumption is that the impacted user has been phished – which is not what is occurring here," the FireEye team explains.
"The organization may waste valuable time without focus on the root cause."
Fortunately, the bug was patched by Microsoft in October of 2017, so fixing this vulnerability should be easy enough, provided you can access and run updates on all of your exposed PCs. ®