430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

US Cyber Command warns of Iran-linked hackers exploiting CVE-2017-11774 Outlook flaw

US Cyber Command posted on Twitter an alert about cyber attacks exploiting the CVE-2017-11774 vulnerability in Outlook. Yesterday I was using Twitter when I noticed the following alert issued by the account managed by the US Cyber Command: The alert refers to an ongoing activity aimed at infecting government networks by exploiting the CVE-2017-11774 Outlook […]

NCSC Iran

US Cyber Command posted on Twitter an alert about cyber attacks exploiting the CVE-2017-11774 vulnerability in Outlook.

Yesterday I was using Twitter when I noticed the following alert issued by the account managed by the US Cyber Command:

The alert refers to an ongoing activity aimed at infecting government networks by exploiting the CVE-2017-11774 Outlook vulnerability.

The issue is a security feature bypass vulnerability that affects Microsoft Outlook. According to Microsoft, Outlook improperly handles objects in memory, an attacker could exploit the vulnerability to execute arbitrary commands.

“In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability, and then convince users to open the document file and interact with the document.” reads the security advisory published by Microsoft.

CVE-2017-11774 APT33

The CVE-2017-11774 flaw was reported by SensePost researchers in 2017 and was addressed by Microsoft in the October 2017 Patch Tuesday.

Security experts at Chronicle link the malware samples involved in the attacks to Iran-linked APT33 group  (aka Elfin), the same threat actor that developed the dreaded Shamoon malware.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production. Most of the targets were in the Middle East, others were in the U.S., South Korean, and Europe. 

In March, Symantec published a report detailing the activities of the APT33 group that was targeting organizations in Saudi Arabia and the United States. Experts at RecordedFuture recently discovered that the Iran-linked cyberespionage group has updated its infrastructure after the publication of a report detailing its activities.

Chronicle Head of Applied Intelligence Brandon Levene linked the uploaded samples to APT33 and Shamoon2.

“The executables uploaded by CyberCom appear to be related to Shamoon2 activity, which took place around January of 2017. These executables are both downloaders that utilize powershell to load the PUPY RAT. Additionally, CyberCom uploaded three tools likely used for the manipulation and of exploited web servers.” explained Brandon Levene, Head of Applied Intelligence at Chronicle.”Each tool has a slightly different purpose, but there is a clear capability on the part of the attacker to interact with servers they may have compromised. If the observation of CVE-2017-11774 holds true, this sheds some light on how the Shamoon attackers were able to compromise their targets. It was highly speculated that spear phishes were involved, but not a lot of information around the initial vectors was published.”

The CVE-2017-11774 vulnerability was used by Iran-linked threat actors since 2018, some attacks were attributed to the APT33 cyberepionage group.

In late December, experts observed threat actors targeting web servers and leveraging the CVE-2017-11774 to infect their users.

“Once the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or Office 365 that is not protected with multi-factor authentication. The adversary leverages the stolen credentials and a tool like RULER to deliver [CVE-2017-11774] exploits through Exchange’s legitimate features,” stated a report published by FireEye in December. ” SensePost’s RULER is a tool designed to interact with Exchange servers via a messaging application programming interface (MAPI), or via remote procedure calls (RPC), both over HTTP protocol.”

In the same period, December 2018, a new variant of the Shamoon malware, aka DistTrack, was uploaded to VirusTotal from Italy. A second sample of the Shamoon wiper was uploaded to Virus total on December 13, from the Netherlands, and the third sample of Shamoon 3 was uploaded on December 23 to the VirusTotal from France.

According to Levene, the exploitation of the CVE-2017-11774 in attacks in the wild could give us an indication of the attack chain behind APT33/Shamoon infections.

At the end of June, US DHS CISA agency warned of increased cyber-activity from Iran aimed at spreading data-wiping malware through password sprayingcredential stuffing, and spear-phishing.

The attacks are targeting U.S. industries and government agencies.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT33, CVE-2017-11774)

[adrotate banner=”5″]

[adrotate banner=”13″]