Rewterz Threat Alert – Phishing Campaign Exploits QR Codes To Bypass Security Controls
July 4, 2019Rewterz Threat Alert – Godlua Backdoor abuses the DNS over HTTPS (DoH) protocol
July 5, 2019Rewterz Threat Alert – Phishing Campaign Exploits QR Codes To Bypass Security Controls
July 4, 2019Rewterz Threat Alert – Godlua Backdoor abuses the DNS over HTTPS (DoH) protocol
July 5, 2019Severity
Medium
Analysis Summary
Threat actors abusing an Outlook vulnerability to plant malware on government networks. The vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch Tuesday.
The Outlook bug, allows a threat actor to escape from the Outlook sandbox and run malicious code on the underlying operating system. In late December 2018, ATP33 hackers were deploying backdoors on web servers, which they were later using to push the CVE-2017-11774 exploit to users’ inboxes, so they can infect their systems with malware.
Once the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or Office 365 that is not protected with multi-factor authentication. The adversary leverages the stolen credentials and a tool like RULER to deliver [CVE-2017-11774] exploits through Exchange’s legitimate features.
Impact
Credential theft
Affected Vendors
Microsoft
Affected Products
Microsoft Outlook
Remediation
Update the systems running vulnerable versions of Microsoft Outlook to a patched version, if you haven’t already.