Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/4/2019
10:45 AM
50%
50%

Attackers Continue to Exploit Outlook Home Page Flaw

FireEye issues guidance on locking down Outlook, claiming that security researchers, at least, are able to work around the patch issued by Microsoft.

A 2-year-old vulnerability in Microsoft Outlook continues to cause headaches for companies, as attackers are able to use a specific feature of the program to execute code and persist on previously infected systems, according to an advisory published by cybersecurity services firm FireEye.

The attack, which uses the Microsoft Outlook Security Feature Bypass Vulnerability (CVE-2017-11774) patched in October 2017, abuses the Outlook Home Page feature that allows a customized view to be shown for any e-mail folder. When exploited, the vulnerability allows code to run whenever an Outlook client homepage is opened. 

While the issue was patched, and the vast majority of companies have the update, attackers have been able to circumvent the fix to gain persistence on already-compromised systems, says Matthew McWhirt, senior manager at FireEye.

"We definitely continue to see the Home Page functionality being used by attackers, even though it was patched back in 2017, over two years ago," he says. "We are also seeing attackers attempting to disable protections that the patch provides by circumventing some controls by modifying the registry on endpoints."

The alert comes after the United States' military warned in July that Iranian cyber espionage groups were using the issue as part of their attacks on targets in the United States, Europe, and the Middle East. Two Iranian groups — APT33 and APT34 — have used the attack since June 2018, according to FireEye. APT33, also known Elfin, has attacked industries and government agencies in the United States, Saudi Arabia, and South Korea, focusing the aerospace and oil-and-gas sectors. APT34, also known as Helix Kitten, has focused on financial, government, energy, chemical, and telecommunications targets in the Middle East and has operated since 2014.

Both groups seem to use the Outlook vulnerability as a way to gain persistence on systems that are already compromised. In addition, a recent submission to VirusTotal included an automated version of the attack for working around patched Outlook systems, FireEye stated in its alert.

"APT33 is a heavy user of this technique, and we have also seen APT34 using it as well," McWhirt says. "I wouldn't call it an 'uptick' — that is not why we are calling this out — but companies may think they are safe because they applied the Outlook patch, and they are not."

In the automated version, submitted as an Excel file to VirusTotal, the persistence technique aims to modify the WebView registry key with an external URL in a type of cloud storage common to Azure, known as a storage blob, and has a method to "walk through the registry and reverse the ... patch," FireEye stated. Dark Reading could not confirm the existence of the file through a search on the hash provided by FireEye, but the company stated that the file appears to be attributable to an authorized red-team operation.

To foil such attacks, companies should enforce specific values for the registry keys used by the attack, or the use of Group Policy Objects (GPOs) in Windows. In its alert, FireEye listed the complete hardening guidelines that companies can put in place to prevent attackers from bypassing the Outlook patch.

"Without continuous reinforcement of the recommended registry settings for ... hardening [against the attack], an attacker can add or revert registry keys for settings that essentially disable the protections provided by the patches," FireEye warned in the alert.

While the specific attack appears to be industry-generated — with one security company detecting another security company's exploit — malicious attackers and groups often adopt techniques pioneered by security researchers.

FireEye cautioned organizations to check to ensure that the specified registry changes do not break third-party applications that use the Outlook Home Page functionality. 

Because rolling back the patch's hardening measures requires "some form of initial access," the issue is not considered a failure of the patch by Microsoft, according to FireEye's alert.

"However, the technique is under-reported, no public mitigation guidance is available, and — as a fresh in-the-wild example demonstrates ... — initial access and patch overriding can be completely automated," the alert stated.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
joshuaprice153
50%
50%
joshuaprice153,
User Rank: Apprentice
12/11/2019 | 12:12:56 AM
Attackers Continue to Exploit Outlook Home Page Flaw
Thank you for being such a reliable source of info when other sites are already filtering their contents (what to go live and not). Im disappointed with them. But you're blog is still here so, yay! mobile detailing Orlando
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...