US Cyber Command issued an alert through Twitter yesterday that threat actors were exploiting Outlook in order to plant malware programs on to government networks.
USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: 'hxxps://customermgmt.net/page/macrocosm' #cybersecurity #infosec
— USCYBERCOM Malware Alert (@CNMF_VirusAlert) July 2, 2019
The vulnerability in question is called CVE-2017-11774, and it is a bug that was patched by Microsoft by the October 2017 Patch released on Tuesday.
The bug essentially allows hackers to escape the Outlook Sandbox to reach the underlying operating system and run malicious code on it.
Outlook Bug was Previously Employed by Iranian Hackers
The bug was initially reported by researchers from SensePost in 2017 and was later weaponized by Iranian state-sponsored hacking group APT33 (or Elfin) in 2018. The group gained infamy for developing the Shamoon malware that wiped entire hard drives. In December 2018, the hackers used backdoors on web servers to push CVE-2017-11774 exploits into peoples inboxes, allowing them to infect their systems with malware.
The attacks using the CVE-2017-11774 vulnerability emerged at the same time as reports that the Shamoon malware had resurfaced, but there was never any connection found between APT33 and the Shamoon deployments.
With that said, Chronicle Security researcher Brandon Leevene contacted ZDNet via email, suggesting that the malware samples US Cyber Command uploaded appeared to be related to the Shamoon activity of 2017.
Cyber Command uploaded five malware samples, three of which were used for manipulating exploited web servers. The other two were downloaders that utilized PowerShell to load PUPY RAT – likely on infected systems.
Increased Iranian Hacking Activity
The US Cyber Command Twitter account isn’t known for sending out alerts about financially-motivated hacking groups targeting the United States. They focus on nation-state adversaries. Overall, the malware samples shared through the account today could link the recent attacks to old malware samples developed by the APT33, likely developed as part of an attack on US entities.
While US Cyber Command hasn’t openly named APT33 themselves, Symantec did publish a warning about an increase in activity from APT33 in recent months.
On top of that, just two weeks ago, CISA – the cyber-security agency of the Department of Homeland Security issued a warning of their own about increased activity from threat actors in Iran, particularly over the usage of disk-wiping malware like Shamoon.
Outside of analyzing malware attacks on the US government network, the US Cyber Command is also responsible for offensive cyber operations. The Department of Defence agency recently launched a cyber attack against Iranian rocket and missile systems in response to the Iranian military downing a surveillance drone. With the Iranian hacker’s targeting government systems and the US responding in kind, the two countries are effectively locked in a silent, unofficial cyberwar.
This is also the first time that the US Cyber Command has published non-Russian malware on their Twitter account. They began publishing malware samples through VirusTotal and issuing alerts on Twitter last fall, considering it a faster method of spreading security alerts about cyber attacks and warning the US private sector.