Iranian Hackers Exploiting Outlook Vulnerability Warns US Cyber Command
Iranian Hackers Re-Exploiting An Almost Two Year Old Microsoft Vulnerability
US Cyber Command took to Twitter to sound the alarm about probable APT33 hackers sudden increased use of a two year old Microsoft vulnerability. The vulnerability was identified in 2017 as CVE-2017-11774 aka the “Microsoft Outlook Security Feature Bypass Vulnerability.” This vulnerability was patched by Microsoft security updates as of October of 2017 . CVE-2017-11774 allows malware to bypass security in Microsoft Outlook and obtain users Outlook emails, monitor the network the targeted system is connected to, or infect the Microsoft operating system of a targeted system. Malware samples in question apparently match samples similar to the Shamoon malware that dates as far back as 2012. Shamoon is particularly destructive as it is commonly know to wipe data on a targeted system.
Targeting Critical Infrastructure
APT33 has a past history of targeting engineering, chemical, research, energy consultancy, finance, IT, and healthcare sectors. Many of these sectors are vulnerable due to poor software patching practices or an inability to patch software due to patch incompatibilities with industry specific software. Furthermore, organizations may have overlooked patching of Microsoft Outlook. Default patching settings may not include Microsoft Outlook as part of what software gets automatically patched.
Assessment of Threat
APT33 is purported to be a part of or associated with the military or government of Iran. As tensions in the Persian Gulf escalate it is expected to see increased APT33 threat activity. Reuse of old vulnerability and exploits follows a tactic of attacking targets of opportunity that have not patched CVE-2017-11774 as part of a retaliation to cyber attacks by the US or allies. Successful reuse allows for threat actors to gain quick wins while not exposing newer or more sophisticated attack tactics.
Although APT33 has a history of attacking the engineering, chemical, research, energy consultancy, finance, IT, and healthcare sectors there is a high confidence that APT33 is looking for any target of opportunity with this attack as part of a Iranian response to perceived or actual hostilities.
Organizations using Microsoft Outlook should run a vulnerability assessment to detect the CVE-2017-11774 vulnerability against all systems that have Microsoft Outlook installed. Protocol 46 Cybersecurity as a Service (CaaS) or the Protocol 46 Looking Glass Assessment both are capable of identifying if this vulnerability is present in an organization’s network. If the CVE-2017-11774 vulnerability is detected the preferred solution is to conduct emergency patching procedures. Due to the nature of this vulnerability there is limited mitigation steps that can be taken other than patching Microsoft Outlook.