Didn’t Update Your Outlook — Watch Out For Iranians Hacks

 

An ongoing Iranian government-backed hacking campaign is now trying to exploit a Microsoft Outlook flaw from 2017.

The US Cyber Command has issued an alert that hackers have been actively going after CVE-2017-11774. The flaw is a sandbox escape bug in Outlook that allows an attacker who already possesses the victim’s Outlook credentials to change the user’s home page. That page, in turn, can have embedded code that downloads and executes malware when Outlook is opened.

The timing of this alert raised eyebrows in the security community, as an exploitation of CVE-2017-11774 is a favorite technique of APT-33, the Iranian backed hacking group that has re-emerged with a vengeance amidst rising tensions between Washington and Tehran.

“For at least a year, APT33 and APT34 have used this technique with success due to organizations’ lack of proper multi-factor e-mail access controls and patching e-mail applications for CVE-2017-11774,” the FireEye Advanced Practices Team said in a statement to El Reg.

The attribution of APT33 is particularly important here as the group has a particular way of exploiting the flaw – the attackers will select their target organization and attempt to brute-force as many email accounts as possible with commonly-guessed passwords, then plug those credentials into the CVE-2017-11774 exploit script.