Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/4/2019
10:45 AM
50%
50%

Attackers Continue to Exploit Outlook Home Page Flaw

FireEye issues guidance on locking down Outlook, claiming that security researchers, at least, are able to work around the patch issued by Microsoft.

A 2-year-old vulnerability in Microsoft Outlook continues to cause headaches for companies, as attackers are able to use a specific feature of the program to execute code and persist on previously infected systems, according to an advisory published by cybersecurity services firm FireEye.

The attack, which uses the Microsoft Outlook Security Feature Bypass Vulnerability (CVE-2017-11774) patched in October 2017, abuses the Outlook Home Page feature that allows a customized view to be shown for any e-mail folder. When exploited, the vulnerability allows code to run whenever an Outlook client homepage is opened. 

While the issue was patched, and the vast majority of companies have the update, attackers have been able to circumvent the fix to gain persistence on already-compromised systems, says Matthew McWhirt, senior manager at FireEye.

"We definitely continue to see the Home Page functionality being used by attackers, even though it was patched back in 2017, over two years ago," he says. "We are also seeing attackers attempting to disable protections that the patch provides by circumventing some controls by modifying the registry on endpoints."

The alert comes after the United States' military warned in July that Iranian cyber espionage groups were using the issue as part of their attacks on targets in the United States, Europe, and the Middle East. Two Iranian groups — APT33 and APT34 — have used the attack since June 2018, according to FireEye. APT33, also known Elfin, has attacked industries and government agencies in the United States, Saudi Arabia, and South Korea, focusing the aerospace and oil-and-gas sectors. APT34, also known as Helix Kitten, has focused on financial, government, energy, chemical, and telecommunications targets in the Middle East and has operated since 2014.

Both groups seem to use the Outlook vulnerability as a way to gain persistence on systems that are already compromised. In addition, a recent submission to VirusTotal included an automated version of the attack for working around patched Outlook systems, FireEye stated in its alert.

"APT33 is a heavy user of this technique, and we have also seen APT34 using it as well," McWhirt says. "I wouldn't call it an 'uptick' — that is not why we are calling this out — but companies may think they are safe because they applied the Outlook patch, and they are not."

In the automated version, submitted as an Excel file to VirusTotal, the persistence technique aims to modify the WebView registry key with an external URL in a type of cloud storage common to Azure, known as a storage blob, and has a method to "walk through the registry and reverse the ... patch," FireEye stated. Dark Reading could not confirm the existence of the file through a search on the hash provided by FireEye, but the company stated that the file appears to be attributable to an authorized red-team operation.

To foil such attacks, companies should enforce specific values for the registry keys used by the attack, or the use of Group Policy Objects (GPOs) in Windows. In its alert, FireEye listed the complete hardening guidelines that companies can put in place to prevent attackers from bypassing the Outlook patch.

"Without continuous reinforcement of the recommended registry settings for ... hardening [against the attack], an attacker can add or revert registry keys for settings that essentially disable the protections provided by the patches," FireEye warned in the alert.

While the specific attack appears to be industry-generated — with one security company detecting another security company's exploit — malicious attackers and groups often adopt techniques pioneered by security researchers.

FireEye cautioned organizations to check to ensure that the specified registry changes do not break third-party applications that use the Outlook Home Page functionality. 

Because rolling back the patch's hardening measures requires "some form of initial access," the issue is not considered a failure of the patch by Microsoft, according to FireEye's alert.

"However, the technique is under-reported, no public mitigation guidance is available, and — as a fresh in-the-wild example demonstrates ... — initial access and patch overriding can be completely automated," the alert stated.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.