3 July 2019

Nation-state hackers exploiting Outlook to deliver malware

Nation-state hackers exploiting Outlook to deliver malware

US Cyber Command (USCYBERCOM) issued an alert on Twitter warning of ongoing activity aimed at infecting government networks by exploiting a Microsoft Outlook vulnerability. The alert refers to the bypass issue in Outlook app tracked as CVE-2017-11774 (SB2017101012 #1), which was discovered in 2017.

The flaw, which Microsoft fixed in October 2017, has been described as a security feature bypass that can allow an attacker to execute arbitrary commands on targeted systems. According to USCYBERCOM, the attackers distributed the malware using the customermgmt.net domain. USCYBERCOM has shared several samples of malware related to the attacks on VirusTotal and urged users to patch CVE-2017-11774.

While the officials did not reveal who was behind the attacks, some clues have hinted on possible involvement of Iranian-linked APT33 (aka Elfin), which is believed to be conducting cyber espionage operations on behalf of Iranian government.

According to FireEye’s December 2018 report, APT33 had been using CVE-2017-11774 and open source testing tool called Ruler to deliver malware. The researchers believe that the malware samples shared by USCYBERCOM also related to the attacks launched by APT33. And Chronicle Security's Brandon Levene said that Cyber Command's code samples appeared related to APT33's disk-wiping Shamoon malware.

Three out of five tools uploaded by USCYBERCOM are “likely used” for the manipulation of compromised web servers, while the other two are downloaders that used PowerShell to load the PUPY RAT, explained Levene. “If the observation of CVE-2017-11774 holds true, this sheds some light on how the Shamoon attackers were able to compromise their targets. It was highly speculated that spear phishes were involved, but not a lot of information around the initial vectors was published,” he said.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019