A threat group has been exploiting an Outlook vulnerability to attack government agencies, according to a warning issued by the U.S. Cyber Command on July 2.
Microsoft reportedly issued a patch for the vulnerability, CVE-2017-11774, in October 2017 after a proof of concept (PoC) was publicly disclosed. Malicious actors have been exploiting the vulnerability ever since. In December 2018, researchers at FireEye issued a report on Iranian attackers believed to be associated with APT33 who were exploiting the vulnerability.
“In mid-July of 2018, Managed Defense identified similar targeted threat activity focused against the same industry. The actor leveraged stolen credentials and RULER’s module that exploits CVE-2017-11774 (RULER.HOMEPAGE), modifying numerous users’ Outlook client homepages for code execution and persistence. These methods are further explored in this post in the 'RULER In-The-Wild' section,” the report said.
“Of note, Advanced Practices separately established that APT33 began using POSHC2 as of at least July 2, 2018, and continued to use it throughout the duration of 2018.”
Based on the recently uploaded samples, researchers once again suspect that the targeted attacks are the work of APT33 and Shamoon 2, according to Brandon Levene, head of applied intelligence at Chronicle.
“The executables uploaded by CyberCom appear to be related to Shamoon 2 activity, which took place around January of 2017. These executables are both downloaders that utilize powershell to load the PUPY RAT. Additionally, CyberCom uploaded three tools likely used for the manipulation of exploited web servers,” said Levene.
“Each tool has a slightly different purpose, but there is a clear capability on the part of the attacker to interact with servers they may have compromised. If the observation of CVE-2017-11774 holds true, this sheds some light on how the Shamoon attackers were able to compromise their targets. It was highly speculated that spear phishes were involved, but not a lot of information around the initial vectors was published."