Security

This article is more than 1 year old

US Cyber Command warns that the Outlook is not so good - Iranians hitting email flaw

Government-backed campaign going after bug that was patched in 2017

Wed 3 Jul 2019 // 23:51 UTC

An ongoing Iranian government-backed hacking campaign is now trying to exploit a Microsoft Outlook flaw from 2017.

The US Cyber Command has issued an alert that hackers have been actively going after CVE-2017-11774. The flaw is a sandbox escape bug in Outlook that allows an attacker who already possesses the victim's Outlook credentials to change the user's home page. That page, in turn, can have embedded code that downloads and executes malware when Outlook is opened.

USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: 'hxxps://customermgmt.net/page/macrocosm' #cybersecurity #infosec
— USCYBERCOM Malware Alert (@CNMF_VirusAlert) July 2, 2019

The timing of this alert raised eyebrows in the security community, as exploitation of CVE-2017-11774 is a favorite technique of APT-33, the Iranian backed hacking group that has re-emerged with a vengeance amidst rising tensions between Washington and Tehran.

"For at least a year, APT33 and APT34 have used this technique with success due to organizations' lack of proper multi-factor e-mail access controls and patching e-mail applications for CVE-2017-11774," the FireEye Advanced Practices Team said in a statement to El Reg.

The attribution of APT33 is particularly important here as the group has a particular way of exploiting the flaw – the attackers will select their target organization and attempt to brute-force as many email accounts as possible with commonly-guessed passwords, then plug those credentials into the CVE-2017-11774 exploit script.

"If Outlook launches something malicious, a common assumption is that the impacted user has been phished – which is not what is occurring here," the FireEye team explains.

"The organization may waste valuable time without focus on the root cause."

Fortunately, the bug was patched by Microsoft in October of 2017, so fixing this vulnerability should be easy enough, provided you can access and run updates on all of your exposed PCs. ®

Topics

Special Features

Vendor Voice

Resources

Security

US Cyber Command warns that the Outlook is not so good - Iranians hitting email flaw

Government-backed campaign going after bug that was patched in 2017

More about

More about

Narrower topics

Broader topics

More about

More about

More about

Narrower topics

Broader topics

TIP US OFF

Other stories you might like

Researchers claim Windows Defender can be fooled into deleting databases

October 2025 will be a support massacre for a bunch of Microsoft products

Microsoft is a national security threat, says ex-White House cyber policy director

Industrial systems integrating digitalisation

Open source versus Microsoft: The new rebellion begins

Microsoft breach allowed Russian spies to steal emails from US government

Microsoft shrinks AI down to pocket size with Phi-3 Mini

Microsoft claims it didn't mean to inject Copilot into Windows Server 2022 this week

Microsoft to tackle spam by restricting Exchange Online bulk email

AI gold rush continues as Microsoft invests $1.5B in UAE's G42

Microsoft to use Windows 11 Start menu as a billboard with app ads for Insiders

Old Windows print spooler bug is latest target of Russia's Fancy Bear gang

About Us

Our Websites

Your Privacy