US Cyber Command has issued an alert via Twitter today about threat actors abusing an Outlook vulnerability to plant malware on government networks.
The vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch Tuesday.
The Outlook bug, discovered and detailed by security researchers from SensePost, allows a threat actor to escape from the Outlook sandbox and run malicious code on the underlying operating system.
Outlook vulnerability previously used by Iranian hackers
The bug was privately reported by SensePost researchers in the fall of 2017, but by the next year, it had been weaponized by an Iranian state-sponsored hacking group known as APT33 (or Elfin).
At the time, in late December 2018, ATP33 hackers were using the vulnerability to deploy a PowerShell-based backdoor that FireEye had named POWERTON.
The attacks leveraging the CVE-2017-11774 vulnerability came at the same time that reports surfaced about new sightings of the infamous Shamoon disk-wiping malware — another hacking tool developed by the APT33 group.
No connection was ever proved at the time about links between APT33’s POWERTON attacks and Shamoon deployments.
Increased Iranian hacking activity
Nevertheless, US Cyber Command’s sighting of an unnamed threat actor currently exploiting the CVE-2017-11774 vulnerability also comes after both Symantec and Recorded Future published warnings about increased activity from APT33 — the first and only major APT known to have abused the Outlook security flaw until now.
Furthermore, two weeks ago, CISA, the Department of Homeland Security’s cyber-security agency, also issued a similar warning about increased activity from Iranian threat actors.
US Cyber Command’s Twitter account doesn’t issue alerts about financially-motivated hacker crews targeting the US, and is focused on nation-state adversaries only.
US Cyber Command’s Twitter alert is also not novel. The agency started publishing malware samples on VirusTotal and issuing Twitter alerts last fall, deeming it a faster way of spreading security alerts about ongoing cyber-attacks and putting the US private sector on notice.
Besides just tweeting a simple alert, the US Cyber Command’s Twitter account also shared a link to five recent malware samples that were involved in the recent attacks.
Besides analyzing malware that hits the US government network, the US Cyber Command is also in charge of offensive cyber operations. Two weeks ago, the DOD agency launched a cyber-attack aimed at Iran’s rocket and missile system after the Iranian military shot down an expensive US surveillance drone.