Tensions between the United States and Iran in the Strait of Hormuz may be cooling but, online, it appears Iranian actors are continuing their activity against targets in the United States and elsewhere.
USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: ‘hxxps://customermgmt.net/page/macrocosm’ #cybersecurity #infosec— USCYBERCOM Malware Alert (@CNMF_VirusAlert) July 2, 2019
In their tweet, Cyber Command doesn’t say who is using the bug to launch attacks. But cybersecurity company FireEye has reported that a variety of Iranian hackers have been busy using that very vulnerability.
“Adversary exploitation of CVE-2017-11774 continues to cause confusion for many security professionals,” the company wrote in a statement sent to reporters on Wednesday. “If Outlook launches something malicious, a common assumption is that the impacted user has been phished — which is not what is occurring here. The organization may waste valuable time without focus on the root cause.”
In a December blog post, FireEye traces the activity to a threat group dubbed APT33, which, they say, is working “at the behest of the Iranian government.” In a June update to that post, the company said that they saw those same APT33 tactics playing a role in a new a coordinated campaign against “U.S. federal government agencies and financial, retail, media, and education sectors.”
That update coincides with a June 22 notice from the Cybersecurity and Infrastructure Security Agency, or CISA, warning of a “recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies.” The agency notes that the new attacks are highly destructive, “‘wiper” attacks and that the perpetrators are “looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”
At last week’s Defense One Tech Summit, Ed Wilson, the deputy assistant secretary of defense for cyber policy, described the recent escalation in Iranian offensive cyber activity as a “horizontal escalation” meaning an increase in the volume of activity, rather than a sudden change in the types of tactics used. “I think a lot of times we think of escalation is vertical in nature,” he said.
The statement follows a comment from Joint Chiefs Chairman Gen. Joe Dunford in May, describing the increase in Iranian activity in the region, including cyber activity as “campaign-like.”
The U.S. has been ramping up cyber operations against Iranian intelligence groups involved the planning of the attack on various foreign oil tankers, according to reports from Yahoo and The New York Times.
Wilson declined to comment on those reports.