US Cyber Command Warns of Outlook Vulnerability ExploitsResearchers Say Attackers Could Have Ties to Iranian-Backed APT Group
The U.S. Cyber Command has issued a warning via Twitter that attackers are attempting to exploit an older vulnerability in Microsoft Outlook to plant remote access Trojans or other types of malware within government networks. It recommends immediate patching of the vulnerability.
This particular vulnerability in Outlook, referred to as CVE-2017-11774, was first discovered in 2017, and Microsoft issued a patch for it in October of that year. Since then, however, security researchers have warned that attackers are still taking advantage of this flaw and can execute arbitrary commands on infected systems to spread malware or cause other types of damage to unpatched Windows-based devices.
USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: 'hxxps://customermgmt.net/page/macrocosm' #cybersecurity #infosec— USCYBERCOM Malware Alert (@CNMF_VirusAlert) July 2, 2019
While the warning from Cyber Command did not offer many details, some security researchers, including analysts with Chronicle - the cybersecurity arm of Alphabet - suspect that this latest attack is related to the activity of an advanced persistent threat group known as APT33, which also goes by the name Shamoon.
In research that FireEye published in 2017, analysts found that APT33 has possible ties to Iranian intelligence and has previously targeted aerospace and energy firms in the Middle East.
Over the last two weeks, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Agency has warned about an increase in Iranian espionage and cyber activity, including increasing use of so-called "wiper" attacks that render computers unusable (see: DHS: Conflict With Iran Could Spur 'Wiper' Attacks).
One the largest wiper attacks ever recorded targeted the oil giant Saudi Aramco in 2012. In that case, the attackers used malware also called Shamoon, which has appeared in other attacks over the course of the last several years (see: Defending Against 'Wiper' Malware).
Shamoon and Other Links
Despite researchers investigating the connections between APT33 and the deployment of the Shamoon wiper malware over the years, an exact link between the two has never been established.
After the latest warning from the U.S. government, however, Brandon Levene, the head of applied intelligence at Chronicle, downloaded the samples published by Cyber Command and determined that some of the malicious code bears similarities to the Shamoon malware found by other researchers in 2017. This is also around the same time that researchers became aware of the CVE-2017-11774 vulnerability.
The code shared by Cyber Command are downloaders dating back to Shamoon campaigns from 2016. These downloaders use PowerShell to download and execute Pupy - an open-source, Python-based, multi-platform remote access Trojan (RAT), according to Levene. Previously, researchers should that Shamoon clustered this malware into a threat group called MagicHound. This activity predates usage of CVE-2017-11774 but offer linkages to APT33."
In addition, the malicious code published by Cyber Command this week shows that the attack exploiting CVE-2017-11774 uploads three malicious tools that are likely used for the manipulation of an exploited web server, according to Levene. Each tool has a slightly different purpose, but there is a capability for the attacker to interact with servers they may have compromised, which can then allow for the spreading of malware and other malicious activity, Levene says.
"APT33 used a tool called Ruler from Senspost, which features a mechanism for abusing CVE-2017-11774, which is a sandbox escape vulnerability," Levene tells Information Security Media Group. "When used in conjunction with other tools and techniques this type of vulnerability allows for arbitrary code execution."
Levene and his team believe that there are ties between APT33 and the other Iranian-backed group called MagicHound, which uses similar techniques, including the Pupy RAT.
"Assuming the timing is not coincidental, this would indicate a more concrete linkage between what was previously classified as a separate Iranian nexus of state actors in MagicHound, which is the label for this threat group from Palo Alto Networks Researchers, and what is classified as APT33," Levene tells Information Security Media Group.
The latest warnings come at a time when several other security firms have taken notice of an increasing amount of APT33 activity.
In March, for instance, Symantec researchers published their own analysis, noting that APT33 had started targeting more businesses and organizations in the Middle East and elsewhere, including the U.S.
Symantec noted the group attempted to take advantage of a vulnerability in WinRAR – a widely used file archiving and compression utility capable of creating self-extracting archive files. Symantec also noted the similarities between Shamoon attacks and APT33 attacks, but stressed that researchers could not specifically tie the group to the wiper attacks.
In the last month, the New York Times and other publications have reported that the U.S. Cyber Command, which issued the warning this week, has stepped up its offensive cyber capabilities against Iran’s intelligence agencies as tensions between the two countries increase.