US Cyber Command (USCYBERCOM) issued an alert on Twitter warning of ongoing activity aimed at infecting government networks by exploiting a Microsoft Outlook vulnerability. The alert refers to the bypass issue in Outlook app tracked as CVE-2017-11774 (SB2017101012 #1), which was discovered in 2017.
The flaw, which Microsoft fixed in October 2017, has been described as a security feature bypass that can allow an attacker to execute arbitrary commands on targeted systems. According to USCYBERCOM, the attackers distributed the malware using the customermgmt.net domain. USCYBERCOM has shared several samples of malware related to the attacks on VirusTotal and urged users to patch CVE-2017-11774.
While the officials did not reveal who was behind the attacks, some clues have hinted on possible involvement of Iranian-linked APT33 (aka Elfin), which is believed to be conducting cyber espionage operations on behalf of Iranian government.
According to FireEye’s December 2018 report, APT33 had been using CVE-2017-11774 and open source testing tool called Ruler to deliver malware. The researchers believe that the malware samples shared by USCYBERCOM also related to the attacks launched by APT33. And Chronicle Security's Brandon Levene said that Cyber Command's code samples appeared related to APT33's disk-wiping Shamoon malware.
Three out of five tools uploaded by USCYBERCOM are “likely used” for the manipulation of compromised web servers, while the other two are downloaders that used PowerShell to load the PUPY RAT, explained Levene. “If the observation of CVE-2017-11774 holds true, this sheds some light on how the Shamoon attackers were able to compromise their targets. It was highly speculated that spear phishes were involved, but not a lot of information around the initial vectors was published,” he said.