Increase in attacks using Outlook flaw

News by Rene Millman

Organisations warned of full intrusion with just flaw and one phish - due to flaw they should have fixed and is actively used by multiple threat actors.

Security researchers have observed a growth in successful exploitation using CVE-2017-11774. The attack has become a favoured approach by nation state hackers.
The flaw is a client-side Microsoft Outlook attack that involves modifying victims’ Outlook client homepages for code execution and persistence. The Outlook Home Page feature allows for customisation of the default view for any folder in Outlook. 
According to a blog post by security researchers at FireEye, this configuration can allow for a specific URL to be loaded and displayed whenever a folder is opened. This URL is retrieved either via HTTP or HTTPS - and can reference either an internal or external network location. When Outlook loads the remote URL, it will render the contents using the ieframe.dll, achieving remote code execution that persists through system restarts. 
Researchers said that multiple threat actors have adopted the technique, especially Iranian groups in support of both espionage and reportedly destructive attacks.
Late last month,  uniquely automated phishing document was uploaded to VirusTotal. The sample, "TARA Pipeline.xlsm" (MD5: ddbc153e4e63f7b8b6f7aa10a8fad514), launches malicious Excel macros combining several techniques, including execution guardrails to only launch on an unnamed victim domain and character substitution obfuscation.
Researchers said that with a reactive implementation of CVE-2017-11774 using the Outlook\WebView\Calendar\URL registry key, an attacker-controlled home page payload hosted in Azure storage blobs (*.web.core.windows.net), and most importantly – a function to walk through the registry and reverse the CVE-2017-11774 patch for any version of Microsoft Outlook.
"This malicious Excel file appears to be a weaponised version of a legitimate victim-created document - as an earlier non-malicious version was also identified in the public malware repository – and this is a technique also becoming more common with both authorised and unauthorised intrusion operators," said researchers.
The patches for CVE-2017-11774 can be effectively "disabled" by modifying registry keys on an endpoint with no special privileges. 
Kelvin Murray, senior threat researcher at Webroot, told SC Media UK that although these attacks are an example of Microsoft security patches being rolled back or bypassed, they shouldn't dent anyone’s trust in updates or patching in general. Updating is a core tenant of cyber-security on any system.
 
"This attack needs privilege to run on a machine and email, file and network filtering are all layers of security that could prevent these attacks. Expect to see Microsoft address this issue properly in future updates to outlook but until then hardening your registry or your environment via GPO with the exploit researcher guidelines will prevent further intrusions on any system," he said.
Jeff Williams, co-founder and CTO at Contrast Security?, told SC Media UK that the average? commercial web application has 26.7? vulnerabilities. 
"Fortunately, it is now possible to give software a sort of digital immune system. Web applications? and APIs can be provided with defences that enable them to identify their own vulnerabilities and? prevent them from being exploited. Once teams see exactly where they are weak and how attackers? are targeting them, they can quickly clean up their house. Ensuring that they (and those using their? software) are protected," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews