Connect with us

Hi, what are you looking for?



U.S. Cyber Command Warns of Outlook Flaw Exploited by Iranian Hackers

The U.S. Cyber Command (USCYBERCOM) on Tuesday warned that it had spotted attacks exploiting a Microsoft Outlook vulnerability tracked as CVE-2017-11774 in an effort to deliver malware.

The U.S. Cyber Command (USCYBERCOM) on Tuesday warned that it had spotted attacks exploiting a Microsoft Outlook vulnerability tracked as CVE-2017-11774 in an effort to deliver malware.

According to USCYBERCOM, which started sharing malware samples via the VirusTotal intelligence service in November 2018, the attackers delivered malware using the domain. USCYBERCOM has shared several malware samples related to the attack and advised users to ensure that they have patched CVE-2017-11774.

USCYBERCOM warns of attacks exploiting CVE-2017-11774

The vulnerability, which Microsoft fixed in October 2017, has been described as a security feature bypass that can allow an attacker to execute arbitrary commands on targeted systems. The flaw was discovered by researchers at SensePost, which integrated the exploit into its open source testing tool Ruler.

FireEye reported in December 2018 that the Iran-linked cyberspy group tracked as APT33 had been using CVE-2017-11774 and the Ruler tool to deliver malware. FireEye believes the attacks referenced by USCYBERCOM were also launched by APT33.

FireEye’s Nick Carr said on Tuesday that much of the information shared back in December still applies to the threat actor’s current campaign, which started in mid-June.

“Adversary exploitation of CVE-2017-11774 continues to cause confusion for many security professionals. If Outlook launches something malicious, a common assumption is that the impacted user has been phished – which is not what is occurring here. The organization may waste valuable time without focus on the root cause. Before being able to exploit this vector, an adversary needs valid user credentials. For APT33, these are often obtained through password spraying,” FireEye told SecurityWeek.  

“For at least a year, APT33 and APT34 have used this technique with success due to organizations’ lack of proper multi-factor e-mail access controls and patching e-mail applications for CVE-2017-11774,” the company added.

Advertisement. Scroll to continue reading.

Palo Alto Networks researcher Bryan Lee has also linked the samples to APT33 and the use of the Ruler tool.

Brandon Levene, Head of Applied Intelligence at Chronicle, has tied the malware samples shared by USCYBERCOM to Magic Hound, a campaign that was also previously linked to Iran.

Both the hackers behind Magic Hound and APT33 have been linked to attacks involving the notorious disk-wiping malware Shamoon, aka Disttrack.

“The executables uploaded by CyberCom appear to be related to Shamoon2 activity, which took place around January of 2017. These executables are both downloaders that utilize powershell to load the PUPY RAT,” Levene told SecurityWeek via email. “Additionally, CyberCom uploaded three tools likely used for the manipulation and of exploited web servers. Each tool has a slightly different purpose, but there is a clear capability on the part of the attacker to interact with servers they may have compromised.”

“If the observation of CVE-2017-11774 holds true, this sheds some light on how the Shamoon attackers were able to compromise their targets. It was highly speculated that spear phishes were involved, but not a lot of information around the initial vectors was published,” Levene added.

APT33, also known as Elfin, was recently spotted updating its infrastructure after Symantec revealed in March that the group had continued launching attacks on organizations in Saudi Arabia and the United States.

APT33 has been active since at least 2015 and it has targeted organizations in the government, research, chemical, engineering, consulting, finance, manufacturing and telecoms sectors.

*updated with comments from FireEye

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...