FireEye ties Microsoft Outlook exploit to Iranian hackers

Iranian hacking groups APT33 and APT34 have been exploiting a Microsoft Outlook vulnerability that US Cyber Command is warning about, according to security firm FireEye, but cautioned that patching alone is not enough.

The US Cyber Command alert was posted on Twitter about CVE-2017-11774, a vulnerability in Outlook that if exploited could allow an attacker to bypass security features and execute arbitrary commands on targeted computers running Windows.

FireEye said its researchers have observed and publicly shared evidence of multiple Iranian hackers using the exploit for the past year.

FireEye attributes the indicators in US Cybercom’s CVE-2017-11774 warning to APT33, the threat group linked to the Shamoon wiper malware that has been used in attacks aimed at disrupting operations in the energy sector.

“The techniques used are consistent with APT33’s behaviour from our public ‘overruled’ blog post from December 2018 – as well as APT33’s current campaign identified in June involving increased targeting of many US-based institutions,” FireEye said.

According to the security firm, adversary exploitation of CVE-2017-11774 continues to cause confusion for many security professionals. If Outlook launches something malicious, FireEye said a common assumption is that the affected user has been phished, but that is not what is occurring.

As a result, the organisation may waste valuable time without focus on the root cause. Before being able to exploit this vector, FireEye notes that an adversary needs valid user credentials. For APT33, these are often obtained through password spraying.

Although CVE-2017-11774 was patched in October 2017, FireEye said APT33 and APT34 have used this technique with success for at least a year due to organisations’ lack of proper multifactor email access controls and patching email applications for CVE-2017-11774.

The patch removes the legacy ‘home page’ feature of Outlook that was vulnerable to attack, according to independent security consultant Graham Cluley.

“Outlook’s ‘home page’ feature was little used, and most organisations are probably unaware of its existence, meaning they are unlikely to be disadvantaged by applying the patch and only benefit from the increase in security,” he said in a blog post.

The fact that hacking groups are still able to exploit a vulnerability more than a year and a half after it was patched, indicates that many organisations are not patching their key business software, which indicates the magnitude of the threat considering the install base of Microsoft Outlook.

Cluley also points out that patching alone is not enough, and recommends ensuring that layered defences are in place, password best practices are being followed, and multifactor authentication is enabled.

The US Cyber Command alert comes less than two weeks after the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned of a recent increase in Iranian cyber attacks from “regime actors and proxies” against both US government agencies and enterprises.

“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying and credential stuffing,” CISA director Christopher Krebs said in a statement.

“What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”