U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability

A two-year-old vulnerability in Microsoft Outlook is being exploited by hackers in targeted attacks on U.S. government networks.

U.S. Cyber Command has issued a warning about vulnerability CVE-2017-1174, which is being actively exploited to install remote access Trojans and other forms of malware.  U.S. Cyber Command strongly recommends patching the vulnerability immediately to prevent exploitation.

The flaw is a sandbox escape vulnerability which can be exploited if the attacker has the user’s outlook credentials, which could be obtained via a phishing attack or other means. The attacker could then change the user’s home page to a page with embedded code that downloads and executes malware when Outlook is opened.

U.S. Cyber Command made no mention of the threat actors believed to be behind the attacks, although security researchers at Palo Alto Networks, FireEye, Chronicale, and others have linked the attacks to the Iran-backed cyberespionage group APT33.

APT33 has been exploiting this vulnerability for at least a year, but instead of using phishing, the group conducts brute force attacks using commonly used passwords. A typical attack will see multiple accounts targeted. When multiple passwords have been guessed, the Outlook vulnerability is exploited, and malware is downloaded on multiple devices on the network.

While there have been attacks on U.S. entities in the past, the group has been most active in the Middle East. The rise in attacks on American targets is believed to be linked to the escalating tensions between the two countries.

The U.S. Cyber Command warning on Twitter comes just a few days after the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, issued a warning on Twitter about Iran-backed threat groups conducting attacks using wiper malware. That warning was issued following an increase in cyberattacks on U.S. businesses and government entities by threat actors with links to Iran.

Symantec also issued a warning about an increase in attacks by the threat group APT33 in March this year, in which an exploit for a vulnerability in WinRAR was being used.

APT33, also known as Shamoon, was discovered to have links to Iran by FireEye researchers in 2017. The group is believed to have conducted a range of cyberattacks throughout the Middle East. The largest ever cyberattack in the Middle East, on oil firm Saudi Aramco in 2012, involved wiper malware called Shamoon. While the malware shares the name with the threat group, APT33 has not been confirmed as being involved in the attacks, although it is suspected by many.

Brandon Levene, head of applied intelligence at Chronicle, analyzed malware samples released by U.S. Cyber Command and found several similarities between the latest attacks and Shamoon malware campaigns in 2016. The latter leveraged a vulnerability and executed a PowerShell script to download the Pupy remote access Trojan and there are code similarities in the downloaders used in the latest attacks.

Levene also analyzed three malicious tools that were used in the recent attacks. The tools had different purposes but would have allowed the attackers to interact with a server they have compromised and conduct a range of different malicious activities. APT33 has used similar tools in attacks in the past to remotely execute code on compromised devices. FireEye’s Andrew Thompson also attributed the latest attacks to the threat group APT33.

With the U.S. stepping up its cyber offensive against Iran and as tensions continue to rise, retaliatory attacks on U.S. targets are likely to continue.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.