Threat actors abusing an Outlook vulnerability to plant malware on government networks. The vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch Tuesday.
The Outlook bug, allows a threat actor to escape from the Outlook sandbox and run malicious code on the underlying operating system. In late December 2018, ATP33 hackers were deploying backdoors on web servers, which they were later using to push the CVE-2017-11774 exploit to users’ inboxes, so they can infect their systems with malware.
Once the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or Office 365 that is not protected with multi-factor authentication. The adversary leverages the stolen credentials and a tool like RULER to deliver [CVE-2017-11774] exploits through Exchange’s legitimate features.
Update the systems running vulnerable versions of Microsoft Outlook to a patched version, if you haven’t already.