USCYBERCOM Warns About Iran Exploit of Microsoft Office Security Feature Bypass Vulnerability
SkyBox Blog TeamJul 11, 2019
On July 2, the US Cyber Command (USCYBERCOM) warned that malware linked to state-sponsored groups from Iran was exploiting a patched vulnerability in Microsoft’s Outlook. Given the catchy nickname “Microsoft Office Security Feature Bypass Vulnerability”, the flaw was first discovered by SensePost researchers in October 2017, with the issue applying to Microsoft Outlook 2010 SP2, Outlook 2013 SP1, 2013 RT SP1 and Outlook 2016.
What Does the Microsoft Office Security Feature Bypass Vulnerability Do?
The vulnerability –CVE-2017-11774 – enables remote attackers to take advantage of the Outlook client’s Home Page feature. The feature was designed by Windows to allow users to customize the default view for Outlook folders – once customized, a specific URL is loaded and displayed when any Outlook folder is opened. If attackers are able to gain access, they’re then able to inject the malicious HTML or Visual Basic code of their choosing – the potential ramifications of a successful attack are, therefore, wide-ranging. In order to execute a successful exploit, it’s necessary for the attacker to embed malicious code in an Outlook specific ActiveX control loaded from the URL.
FireEye Security experts have attributed the use of the Outlook exploit to APT33 and APT34 – two Iranian state-sponsored groups. Further to this, USCYBERCOM started to maintain an account in Virus Total in November 2018. Following its warning regarding the Microsoft Office Security Feature Bypass Vulnerability, USCYBERCOM has submitted 5 malware files to Virus Total 5 which have been identified as being involved in ongoing attacks.
— @U.S.CyberCommand (@US_CYBERCOM) July 2, 2019
What Should Skybox Customers Do?
The official recommendation from USCYBERCOM is for users to apply the patch – which is readily available – as soon as humanly possible. It’s of note that this is the first warning issued by USCYBERCOM that relates to a non-Russian state-sponsored attack and points to the growing capabilities of other nation states to inflict damage in the cyber realm.
Skybox customers were first made aware of the vulnerability and its patch on October 102017, with following notices shared about when an exploit was first available (Dec 7 2017) and when it was first exploited in the wild (Dec 25 2018).
If customers with the exposed vulnerability within their network followed Skybox’s prioritization processes, they will have applied the patch a couple of years ago. In which case, they have nothing to worry about. Having this context-rich understanding of how vulnerabilities, if exploited, can impact your organization is critical to ensuring protection against any future exploits.
Kuwait Oil Company Spreadsheet Delivering OmniRAT to OT Networks: Another attack which could have been led by Iran happened at the close of 2018, when an old remote code execution vulnerability was exploited
Threadkit, Formbook Exploit Old Microsoft Vulnerability: This isn’t the first old Microsoft vulnerability to be exploited this year – learn how the Threadkit exploit works