Iranian APT33 Exploiting Outlook Vulnerability, US CyberCom Issues Alert
US Cyber Command (USCybercom) issued a malware alert on twitter regarding the on-going vigorous exploitation of the CVE-2017-11774 Outlook vulnerability to attack US government agencies, permitting the hackers to execute arbitrary commands on compromised systems.
The vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch Tuesday. Although US CyberCom did not mention the threat actor behind the ongoing attacks, security researchers from Chronicle, FireEye, and Palo Alto Networks have linked them to the Iranian-backed APT33 cyber-espionage group.
APT33 or Elfin is an Iranian threat group, they first became active in 2015 targeting organizations from multiple industries in United States, Saudi Arabia, and South Korea, with a focus on energy and aviation entities.
US CyberCom’s alert is not the only one revealing APT33 activity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued a similar warning last month about increased activity from Iranian threat actors, and especially about the usage of disk-wiping malware such as Shamoon, APT33’s primary cyber-weapon.
The malware samples uploaded by US CyberCom to VirusTotal are malicious tools used by APT33 in previous attacks after compromising web servers as detailed by Brandon Levene, Head of Applied Intelligence at Chronicle.
“The executables uploaded by CyberCom appear to be related to Shamoon2 activity, which took place around January of 2017. These executables are both downloaders that utilize powershell to load the PUPY RAT,” says Levene
Reference:
https://twitter.com/CNMF_VirusAlert/status/1146130046127681536
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
Newsletter Sign Up
Contact Us
Learn more about what Techcess CyberSecurity Group can do for your business.
1-833-TXCYBER
1-833-892-9237
Techcess CyberSecurity Group
6110 Clarkson Lane
Houston, Texas 77055
Techcess CyberSecurity Group
Houston, Texas 77055