US Cyber Command Warns of Iranian Cyber Attack on MS Outlook

Iranian Hacking MS Outlook – Targets Government Agencies

United States. Cyber Command (USCYBERCOM) issued a warning via Twitter that an Advanced Persistent Threat (APT) group is targeting US government agencies with a known Microsoft Outlook vulnerability. Previous cyberattacks exploiting the vulnerability, CVE-2017-11774, have been attributed to Iranian hacking group APT33. All machines running MS Outlook should be patched immediately if they were not already.

Microsoft Outlook’s CVE-2017-11774 vulnerability allows hackers to bypass Outlook security features and execute malware on infected machines. This attack vector was used by state-sponsored hacking group APT33, also known as Elfin, Magnallium, or Refined Kitten. APT33 is an advanced persistent threat group that developed the infamous Shamoon malware. The security vulnerability was first seen in 2017 and was weaponized by an Iranian state-sponsored hacking group APT33 by the end of 2018. Hackers use backdoors on web servers and use the CVE-2017-11774 exploit to infect Outlook users with malware.

Heimdel Malware Protection
Heimdel Malware Protection

The Security Vulnerability is not a new exploit. Microsoft published a patch for the flaw on October 10, 2017.

CVE-2017-11774 Microsoft Outlook Security Feature Bypass Vulnerability
Published: 10/10/2017
MITRE CVE-2017-11774

“A security feature bypass vulnerability exists when Microsoft Outlook improperly handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary commands.
In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability, and then convince users to open the document file and interact with the document.

The security update addresses the vulnerability by correcting how Microsoft Outlook handles objects in memory.”

The problem affects Microsoft Outlook, a popular mail app for business and personal users. On an unpatched machine, a hacker can exploit the vulnerability to execute commands on the hacked machine including downloading and executing malware.

This is not a new security flaw which has already been fixed. However, unpatched hardware and software allow hackers to use tried and true methods to compromise more computers. This time the target is US government agencies. Immediate patching is recommended. The fix for this vulnerability was released in October 2017. To mitigate this attack and secure networks and computers, all machines with Microsoft Outlook should be updated to the latest version.

The Tweet read, “USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: ‘hxxps://customermgmt.net/page/macrocosm’ #cybersecurity #infosec”

— USCYBERCOM Malware Alert (@CNMF_VirusAlert) July 2, 2019

It is common to substitute the letter “t” is https with the letter “x,” so no one inadvertently clicks on the link which would take malicious server.

In 2017, the British government’s National Health Service (NIHS) was disrupted when unpatched Windows computers used across the NHS network were infected with WannaCry ransomware. WannaCry spread to Taiwan, Russia, and other parts of Europe too. WannaCry did not spread to machines that had security updates that fixed the vulnerability that WannaCry exploits.

WebRoot cyber sec

What is U.S. Cyber Command (USCYBERCOM)?

United States Cyber Command, USCYBERCOM, is located at Fort Meade, Maryland and is one of ten commands of the United States Department of Defense. USCYBERCOM was founded in 2009 to direct US military cyber security operations and expertise. One of USCYBERCOM’s charges is to identify and protect US government computers and networks from hackers and Advanced Persistent Threat groups like APT33. The agency does not issue warnings about financially motivated hackers. It focuses on government-sponsored hacking groups.

Last week USCYBERCOM exchanged cyber attacks with Iran. The United States was responding to APT33 use of wiper malware on US assets. The US was also retaliating against Iran for the downing of an expensive military drone. Now Iran is targeting government agencies looking for vulnerable networks and devices.

Who is APT33?

APT33 is a state-sponsored Advanced Persistent Threat group associated with Iran. The group, also referred to as Elfin, Magnallium or Refined Kitten, has been working since 2013. Like many, APT hacker groups, APT33 targets specific industries. In the case of Elfin, it is the aviation industry and petrochemical production companies. Most of its targets are in the Middle East but other targets were in the United States, Saudi Arabia, South Korea, and Europe.

USCYBERCOM has not accused APT33 of this increase in attacks. Symantec and the US Department of Homeland Security both issued similar warnings in recent months about increased APT33 activity. State-sponsored hacking groups are given alternate names to avoid offending governments that sponsor or control them. The advanced persistent threat group sponsored by the United States is referred to as the Equation Group.