The U.S. Cyber Command (USCYBERCOM) on Tuesday came up with an alert that it had marked attacks misusing a Microsoft Outlook fault tracked as CVE-2017-11774 in a bid to carry malware.
USCYBERCOM says that the attackers delivered malware using the customermgmt.net domain. The U.S Cyber Command has shared numerous malware samples pertaining to the attack and directed users to ensure that they have repaired CVE-2017-11774.
Fixed by Microsoft in October 2017, the susceptibility has been labeled as a security feature bypass that can let an attacker perform random commands on targeted systems. The fault was revealed by investigators at SensePost, which combined the exploit into its open source testing tool Ruler.
In December 2018, FireEye reported that the Iran-linked cyberspy group tracked as APT33 had been using CVE-2017-11774 and the Ruler tool to deliver malware. FireEye believes the attacks referenced by USCYBERCOM were also mounted by APT33.
FireEye’s Nick Carr said on Tuesday that much of the information shared back in December still applies to the threat actor’s current campaign, which started in mid-June.
“Adversary exploitation of CVE-2017-11774 continues to cause confusion for many security professionals. If Outlook launches something malicious, a common assumption is that the impacted user has been phished – which is not what is occurring here. The organization may waste valuable time without focus on the root cause. Before being able to exploit this vector, an adversary needs valid user credentials. For APT33, these are often obtained through password spraying,” FireEye told SecurityWeek.
“For at least a year, APT33 and APT34 have used this technique with success due to organizations’ lack of proper multi-factor e-mail access controls and patching e-mail applications for CVE-2017-11774,” the company added.
Bryan Lee, Palo Alto Networks researcher, has also associated the samples to APT33 and the use of the Ruler tool.
Brandon Levene, Head of Applied Intelligence at Chronicle, has tied the malware samples shared by USCYBERCOM to Magic Hound, a campaign that was also formerly linked to Iran.
“The executables uploaded by CyberCom appear to be related to Shamoon2 activity, which took place around January of 2017. These executables are both downloaders that utilize powershell to load the PUPY RAT,” Levene told SecurityWeek via email. “Additionally, CyberCom uploaded three tools likely used for the manipulation and of exploited web servers. Each tool has a slightly different purpose, but there is a clear capability on the part of the attacker to interact with servers they may have compromised.”
“If the observation of CVE-2017-11774 holds true, this sheds some light on how the Shamoon attackers were able to compromise their targets. It was highly speculated that spear phishes were involved, but not a lot of information around the initial vectors was published,” Levene added.