US Cyber Command has issued a warning about an unnamed foreign country’s attempt to spread malware through the exploitation of a vulnerability in Microsoft Outlook.
The alert, posted on Twitter, refers to CVE-2017-11774, a vulnerability in Outlook that if exploited could allow an attacker to bypass security features and execute arbitrary commands on targeted Windows computers.
Microsoft issued a patch for the vulnerability in October 2017, but the security hole has since continued to be used by the Iranian-backed APT33 (also known as Elfin) hacking group.
Clearly US Cyber Command is concerned that some at-risk organisations have still not have applied Microsoft’s patch from 2017, which removes the legacy ‘home page’ feature of Outlook that was vulnerable to attack.
Outlook’s ‘home page’ feature was little used, and most organisations are probably unaware of its existence, meaning they are unlikely to be disadvantaged by applying the patch and only benefit from the increase in security.
Systems can be further better protected by ensuring that layered defences are in place, password best practices are being followed, and multi-factor authentication is enabled.
The latest alert from US Cyber Command comes little more than a week after the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) specifically warned of increased activity by Iranian hacking groups, and urged firms to take protective measures.
On June 22, CISA warned about what they described as “a recent rise” in Iranian-linked cybersecurity threats against the United States, and described some of the typical tactics used:
“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”
APT33 is perhaps best known for its use of the destructive Shamoon disk-wiping malware against companies in the energy sector.
The Shamoon malware (also known as Disttrack) first hit the headlines in August 2012 when it was used in an attack against Saudi Arabia’s state-owned oil company Saudi Aramco, overwriting the data stored on over 30,000 Windows computers, before displaying an image of a US flag in flames.