US Cyber Command warns hackers exploiting Outlook vulnerability to attack gov't agencies

News by Teri Robinson

US CyberCom flags three tools that are "likely used for the manipulation and of exploited web servers" with "a clear capability on the part of the attacker to interact with servers they may have compromised"

The US Cyber Command warned that a threat group was exploiting a vulnerability in Outlook in an effort to attack government agencies and uploaded samples that one security researcher said are linked to APT33 and Shamoon2.

"USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: ‘hxxps://customermgmt.net/page/macrocosm’," Cyber Command tweeted the alert on 2 July.

"The executables uploaded by CyberCom appear to be related to Shamoon2 activity, which took place around January of 2017," said Brandon Levene, head of applied intelligence at Chronicle. "These executables are both downloaders that utilise powershell to load the PUPY RAT."

CyberCom uploaded three tools that are "likely used for the manipulation and of exploited web servers" with each having "a slightly different purpose, but there is a clear capability on the part of the attacker to interact with servers they may have compromised," said Levene. "If the observation of CVE-2017-11774 holds true, this sheds some light on how the Shamoon attackers were able to compromise their targets."

While security pros speculated "spear phishes were involved," he said "not a lot of information around the initial vectors was published."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop