Olivier Le Moal - stock.adobe.co

U.S. Cybercom warns Outlook vulnerability under attack

U.S. Cybercom issued an alert about active exploitation of a 2-year-old Microsoft Outlook flaw, and experts say an Iranian threat group is behind the attacks.

U.S. Cyber Command issued an alert urging users to patch a 2-year-old Outlook vulnerability due to active attacks in the wild. But security researchers said U.S. Cybercom is a little late to the game. 

The official U.S. Cybercom Twitter account for malware alerts wrote on Tuesday afternoon that Cybercom "has discovered active malicious use of CVE-2017-11774 and recommends immediate patching." This is the first time the U.S. Cybercom Twitter account was used to warn of active attacks. Previously, the account only tweeted when Cybercom added malware to VirusTotal.

That Outlook vulnerability was patched by Microsoft in October 2017, and it was described at the time as a security feature bypass vulnerability affecting Outlook 2010, 2013 and 2016. Since the flaw was patched, both FireEye Mandiant and Chronicle security researchers connected attacks using that vulnerability to the malware actors behind the Shamoon wiper malware. Shamoon had been used in attacks aimed at disrupting operations in the energy sector.

Nick Carr, senior manager of the advanced practices team at FireEye, based in Milpitas, Calif., noted on Twitter that FireEye had reported attacks using this Outlook vulnerability in December, and "the malware families, Yara rules, [and] hunting methods shared still apply to this attacker's current campaign (mid-June to present)."

FireEye and Chronicle researchers said attacks on this vulnerability were linked to APT33, a threat group believed to be based in Iran, and specifically related to attacks using the Shamoon wiper malware. Researchers originally speculated that APT33 used spear phishing attacks on targets in the engineering industry.

Brandon Levene, head of applied intelligence at Chronicle, based in Mountain View, Calif., said this U.S. Cybercom alert could shed "some light on how the Shamoon attackers were able to compromise their targets."

Although U.S. Cybercom did not mention Iran or the Shamoon wiper malware as part of this alert on Outlook attacks, Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency,  issued a warning on June 22, saying, "Iranian regime actors and proxies are increasingly using destructive 'wiper' attacks, looking to do much more than just steal data and money."

Next Steps

Akamai discloses zero-click exploit for Microsoft Outlook

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing