Within two weeks it covertly launched a cyber attack against Iranian intelligence group’s computer systems that control rocket and missile launches, the US Cyber Command on Wednesday issued an unprecedented warning, saying it has discovered the “active malicious use” of a Microsoft Outlook vulnerability linked to Iran.
The vulnerability is a security bug that Microsoft patched in Outlook in 2017 but several unpatched computers are still at risk.
In a tweet, US Cyber Command said: “USCYBERCOM has discovered active malicious use of “CVE-2017-11774″ and recommends immediate #patching.”
According to a ZDNet report, the bug “CVE-2017-11774” discovered first by SensePost researchers had been “weaponized by an Iranian state-sponsored hacking group known as APT33 (or Elfin), primarily known for developing the Shamoon disk-wiping malware” — another hacking tool developed by the APT33 group.
The Outlook bug allows a threat actor to escape from the Outlook sandbox and run malicious code on the underlying operating system.
“In December 2018, ATP33 hackers were using the vulnerability to deploy backdoors on web servers, which they were later using to push the CVE-2017-11774 to exploit to users’ inboxes, so they can infect their systems with malware,” said the report.
Cybersecurity firm FireEye has also reported extensively on Iran-linked APT33.
“Over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33,” FireEye said recently.
The analysis reveals that APT33 is a capable group that has carried out cyber-espionage operations since at least 2013 “at the behest of the Iranian government”.
APT33 has targeted organizations — spanning multiple industries — headquartered in the US, Saudi Arabia and South Korea.
The possible Iran-linked attack comes in the wake of the US cyber attack last month that targeted computer systems used to control missile and rocket launches for potential disruption.
The strikes, approved by the US President Donald Trump, were carried out by US Cyber Command in coordination with US Central Command.
The attack came during the peak of tensions this week between the US and Iran over a series of incidents across the Middle East, including Tehran’s shooting down of an American reconnaissance drone.
It also came as US fears have grown that Iran may seek to lash out with cyber attacks of its own, as multiple cybersecurity firms said they had already seen signs Tehran is targeting relevant computer networks for intrusion and appeared particularly focused on the US government and the American energy sector, including oil and gas providers.