Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/4/2019
10:45 AM
50%
50%

Attackers Continue to Exploit Outlook Home Page Flaw

FireEye issues guidance on locking down Outlook, claiming that security researchers, at least, are able to work around the patch issued by Microsoft.

A 2-year-old vulnerability in Microsoft Outlook continues to cause headaches for companies, as attackers are able to use a specific feature of the program to execute code and persist on previously infected systems, according to an advisory published by cybersecurity services firm FireEye.

The attack, which uses the Microsoft Outlook Security Feature Bypass Vulnerability (CVE-2017-11774) patched in October 2017, abuses the Outlook Home Page feature that allows a customized view to be shown for any e-mail folder. When exploited, the vulnerability allows code to run whenever an Outlook client homepage is opened. 

While the issue was patched, and the vast majority of companies have the update, attackers have been able to circumvent the fix to gain persistence on already-compromised systems, says Matthew McWhirt, senior manager at FireEye.

"We definitely continue to see the Home Page functionality being used by attackers, even though it was patched back in 2017, over two years ago," he says. "We are also seeing attackers attempting to disable protections that the patch provides by circumventing some controls by modifying the registry on endpoints."

The alert comes after the United States' military warned in July that Iranian cyber espionage groups were using the issue as part of their attacks on targets in the United States, Europe, and the Middle East. Two Iranian groups — APT33 and APT34 — have used the attack since June 2018, according to FireEye. APT33, also known Elfin, has attacked industries and government agencies in the United States, Saudi Arabia, and South Korea, focusing the aerospace and oil-and-gas sectors. APT34, also known as Helix Kitten, has focused on financial, government, energy, chemical, and telecommunications targets in the Middle East and has operated since 2014.

Both groups seem to use the Outlook vulnerability as a way to gain persistence on systems that are already compromised. In addition, a recent submission to VirusTotal included an automated version of the attack for working around patched Outlook systems, FireEye stated in its alert.

"APT33 is a heavy user of this technique, and we have also seen APT34 using it as well," McWhirt says. "I wouldn't call it an 'uptick' — that is not why we are calling this out — but companies may think they are safe because they applied the Outlook patch, and they are not."

In the automated version, submitted as an Excel file to VirusTotal, the persistence technique aims to modify the WebView registry key with an external URL in a type of cloud storage common to Azure, known as a storage blob, and has a method to "walk through the registry and reverse the ... patch," FireEye stated. Dark Reading could not confirm the existence of the file through a search on the hash provided by FireEye, but the company stated that the file appears to be attributable to an authorized red-team operation.

To foil such attacks, companies should enforce specific values for the registry keys used by the attack, or the use of Group Policy Objects (GPOs) in Windows. In its alert, FireEye listed the complete hardening guidelines that companies can put in place to prevent attackers from bypassing the Outlook patch.

"Without continuous reinforcement of the recommended registry settings for ... hardening [against the attack], an attacker can add or revert registry keys for settings that essentially disable the protections provided by the patches," FireEye warned in the alert.

While the specific attack appears to be industry-generated — with one security company detecting another security company's exploit — malicious attackers and groups often adopt techniques pioneered by security researchers.

FireEye cautioned organizations to check to ensure that the specified registry changes do not break third-party applications that use the Outlook Home Page functionality. 

Because rolling back the patch's hardening measures requires "some form of initial access," the issue is not considered a failure of the patch by Microsoft, according to FireEye's alert.

"However, the technique is under-reported, no public mitigation guidance is available, and — as a fresh in-the-wild example demonstrates ... — initial access and patch overriding can be completely automated," the alert stated.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.