A group of attackers, possibly linked to the APT33 group associated with the Iranian government, is exploiting a two-year-old vulnerability in Microsoft Outlook to install several different pieces of malware on compromised servers.
The ongoing attacks have drawn the attention of the U.S. Cyber Command, which issued a warning about the activity on Tuesday. The warning does not specify what kind of organizations have been targeted, but Cyber Command focuses on attacks on government agencies and not private companies. The warning said that the malware is being delivered from one particular domain and Cyber Command has uploaded samples of the malware to the VirusTotal community site.
"USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: 'hxxps://customermgmt.net/page/macrocosm'," the warning says.
Researchers at Chronicle, the security firm started by Google’s parent company Alphabet and just acquired by Google Cloud, were able to connect those samples to previous activity by APT33.
"The executables uploaded by CyberCom appear to be related to Shamoon2 activity, which took place around January of 2017. These executables are both downloaders that utilize powershell to load the PUPY RAT. Additionally, CyberCom uploaded three tools likely used for the manipulation and of exploited web servers,” said Brandon Levene, head of applied intelligence at Chronicle.
“Each tool has a slightly different purpose, but there is a clear capability on the part of the attacker to interact with servers they may have compromised. If the observation of CVE-2017-11774 holds true, this sheds some light on how the Shamoon attackers were able to compromise their targets. It was highly speculated that spear phishes were involved, but not a lot of information around the initial vectors was published."
APT33 is a group associated with Iranian intelligence services, and has been known to use the PUPY RAT malware in the past. Researchers at FireEye did a detailed analysis of similar activity from APT33 last year, right around the same time that Shamoon attacks resurfaced. Shamoon is a wiper malware that destroys compromised machines. There was speculation at the time that the APT33 attacks and Shamoon activity were connected.
“Recent public reporting indicated possible links between the confirmed APT33 spear phishing and destructive SHAMOON attacks; however, we were unable to independently verify this claim. FireEye’s Advanced Practices team leverages telemetry and aggressive proactive operations to maintain visibility of APT33 and their attempted intrusions against our customers. These efforts enabled us to establish an operational timeline that was consistent with multiple intrusions Managed Defense identified and contained prior to the actor completing their mission,” FireEye’s analysis from December 2018 says.
APT33 was using the same Outlook vulnerability back then that the attackers identified by Cyber Command are using. In the earlier attacks that FireEye analyzed, the adversaries were using a variety of techniques to compromise mail servers, including the use of legitimate stolen credentials and exploitation of the Outlook vulnerability (CVE-2017-11774).
“Based on our experience, this particular method may be more successful due to defenders misinterpreting artifacts and focusing on incorrect mitigations. This is understandable, as some defenders may first learn of successful CVE-2017-11774 exploitation when observing Outlook spawning processes resulting in malicious code execution,” the FireEye analysis says.
“When this observation is combined with standalone forensic artifacts that may look similar to malicious HTML Application (.hta) attachments, the evidence may be misinterpreted as initial infection via a phishing email. This incorrect assumption overlooks the fact that attackers require valid credentials to deploy CVE-2017-11774, and thus the scope of the compromise may be greater than individual users' Outlook clients where home page persistence is discovered.”
In a statement Wednesday, FireEye said the activity in Cyber Command's warning is from APT33.
“FireEye has observed and publicly shared evidence of multiple Iranian hackers using the Outlook CVE-2017-11774 exploit for the past year. FireEye attributes the indicators in U.S. CYBERCOM’s CVE-2017-11774 warning to APT33," the statement says.
Adversary exploitation of CVE-2017-11774 continues to cause confusion for many security professionals. If Outlook launches something malicious, a common assumption is that the impacted user has been phished – which is not what is occurring here. The organization may waste valuable time without focus on the root cause. Before being able to exploit this vector, an adversary needs valid user credentials. For APT33, these are often obtained through password spraying.