Iran (Apt-33/Elfin): Last night, U.S. Cyber Command, USCYBERCOM, issued a warning to Outlook users to patch their systems immediately. The warning comes as a new campaign targeting users through an older vulnerability has been discovered. According to USCYBERCOM the attackers are seeking to utilize CVE-2017-11774 to deliver malware which is coming from ‘https://customermgmt(dot)net/page/macrocosm’. CVE-2017-11774 was patched by Microsoft during the October 2017 Patch Tuesday, so up-to-date systems are protected. Despite a patch being released nearly two years ago, many systems remain vulnerable. Iran’s APT-33, Elfin, have been seen exploiting this vulnerability in the past. While the warning issued by USCYBERCOM did not directly name APT-33 as the attacker behind this most recent use of CVE-2017-11774.
The fact that the group has utilized the vulnerability in the past, plus recent warnings from the DHS about the increased threat from Iranian hacking and the recent cyber-attacks launch by the United States against Iranian missile sites makes it likely that APT-33 is behind this recent wave of attacks against Outlook users.