Iran (Apt-33/Elfin): Last night, U.S. Cyber Command, USCYBERCOM, issued a warning to Outlook users to patch their systems immediately. The warning comes as a new campaign targeting users through an older vulnerability has been discovered. According to USCYBERCOM the attackers are seeking to utilize CVE-2017-11774 to deliver malware which is coming from ‘https://customermgmt(dot)net/page/macrocosm’. CVE-2017-11774 was patched by Microsoft during the October 2017 Patch Tuesday, so up-to-date systems are protected. Despite a patch being released nearly two years ago, many systems remain vulnerable. Iran’s APT-33, Elfin, have been seen exploiting this vulnerability in the past. While the warning issued by USCYBERCOM did not directly name APT-33 as the attacker behind this most recent use of CVE-2017-11774.
Analyst Notes
The fact that the group has utilized the vulnerability in the past, plus recent warnings from the DHS about the increased threat from Iranian hacking and the recent cyber-attacks launch by the United States against Iranian missile sites makes it likely that APT-33 is behind this recent wave of attacks against Outlook users.
