{ "id": "00007130-a1ca-4f6e-af36-44f78a8fdd8c", "created_at": "2026-04-06T00:07:00.793897Z", "updated_at": "2026-04-10T03:34:03.043663Z", "deleted_at": null, "sha1_hash": "76dfb7e5ccd50334a166d4e5f0920e8aaf19d416", "title": "US Cyber Command issues alert about hackers exploiting Outlook vulnerability", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 668896, "plain_text": "US Cyber Command issues alert about hackers exploiting Outlook\r\nvulnerability\r\nBy Written by Catalin Cimpanu, ContributorContributor July 2, 2019 at 1:06 p.m. PT\r\nArchived: 2026-04-05 15:59:02 UTC\r\nSee als\r\nUS Cyber Command has issued an alert via Twitter today about threat actors abusing an Outlook vulnerability to\r\nplant malware on government networks.\r\nThe vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch\r\nTuesday.\r\nThe Outlook bug, discovered and detailed by security researchers from SensePost, allows a threat actor to escape\r\nfrom the Outlook sandbox and run malicious code on the underlying operating system.\r\nOutlook vulnerability previously used by Iranian hackers\r\nThe bug was privately reported by SensePost researchers in the fall of 2017, but by 2018, it had been weaponized\r\nby an Iranian state-sponsored hacking group known as APT33 (or Elfin), primarily known for developing the\r\nShamoon disk-wiping malware.\r\nAt the time, in late December 2018, ATP33 hackers were deploying backdoors on web servers, which they were\r\nlater using to push the CVE-2017-11774 exploit to users' inboxes, so they can infect their systems with malware.\r\nhttps://www.zdnet.com/article/us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability/\r\nPage 1 of 3\n\n\"Once the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or\r\nOffice 365 that is not protected with multi-factor authentication. The adversary leverages the stolen credentials\r\nand a tool like RULER to deliver [CVE-2017-11774] exploits through Exchange's legitimate features,\" the\r\nFireEye report said.\r\nThe attacks leveraging the CVE-2017-11774 vulnerability came at the same time that reports surfaced about new\r\nsightings of the infamous Shamoon disk-wiping malware -- another hacking tool developed by the APT33 group.\r\nNo connection was ever proved at the time about links between FireEye's APT33 report and Shamoon\r\ndeployments.\r\nHowever, Chronicle Security researcher Brandon Levene has told ZDNet in an email today that the malware\r\nsamples uploaded by US Cyber Command appear to be related to Shamoon activity, which took place around\r\nJanuary of 2017.\r\nThree of the five malware samples are tools used for the manipulation of exploited web servers, Levene said,\r\nwhile the other two are downloaders which utilized PowerShell to load the PUPY RAT -- most likely on infected\r\nsystems.\r\nLevene told ZDNet that if the observation of CVE-2017-11774 together with these malware samples holds true,\r\nthis sheds some light on how the APT33/Shamoon attackers were able to compromise their targets.\r\nWhen Shamoon attacks happened in the past, Levene said that it had been highly speculated that spear-phishing\r\nwas involved, but not a lot of information around the initial infection vectors was published other than the FireEye\r\nreport, which speculated on the infection vectors, rather than provide indisputable evidence.\r\nIncreased Iranian hacking activity\r\nUS Cyber Command's Twitter account doesn't issue alerts about financially-motivated hacker crews targeting the\r\nUS, and is focused on nation-state adversaries only. All in all, the malware samples shared by US Cyber\r\nCommand today link the new attacks the agency is seeing to old APT33 malware samples -- most likely deployed\r\nin new attacks against US entities.\r\nWhile US Cyber Command has not named APT33 by name, Levene has, as well as Palo Alto Networks (on\r\nTwitter), and FireEye (on Twitter [1, 2] and in private conversations with ZDNet).\r\nThe US Cyber Command tweet also comes after Symantec warned about increased activity from APT33 back in\r\nMarch.\r\nFurthermore, two weeks ago, CISA, the Department of Homeland Security's cyber-security agency, also issued a\r\nsimilar warning about increased activity from Iranian threat actors, and especially about the usage of disk-wiping\r\nmalware such as Shamoon, APT33's primary cyber-weapon.\r\nBesides analyzing malware that hits the US government network, the US Cyber Command is also in charge of\r\noffensive cyber operations. Two weeks ago, the DOD agency launched a cyber-attack aimed at Iran's rocket and\r\nmissile system after the Iranian military shot down an expensive US surveillance drone. With Iranian hackers\r\nhttps://www.zdnet.com/article/us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability/\r\nPage 2 of 3\n\ntargeting government networks and the US hitting back, you could say the two countries are in the midst of a very\r\nsilent and very unofficial cyberwar.\r\nAnd as a side note, Levene has also pointed out that this is the first time that US Cyber Command has shared non-Russian malware via its Twitter account. The agency started publishing malware samples on VirusTotal and\r\nissuing Twitter alerts last fall, deeming it a faster way of spreading security alerts about ongoing cyber-attacks and\r\nputting the US private sector on notice.\r\nUSCYBERCOM has discovered active malicious use of CVE-2017-11774 and\r\nrecommends immediate #patching. Malware is currently delivered from:\r\n'hxxps://customermgmt.net/page/macrocosm' #cybersecurity #infosec\r\n— USCYBERCOM Malware Alert (@CNMF_VirusAlert) July 2, 2019\r\nArticle updated on July 3 with additional confirmations from FireEye and Palo Alto Network linking the malware\r\nshared on Twitter by US Cyber Command to Iranian hacking group APT33.\r\nThe world's most famous and dangerous APT (state-developed) malware\r\nRelated government coverage:\r\nNASA hacked because of unauthorized Raspberry Pi connected to its network\r\nUS wants to isolate power grids with 'retro' technology to limit cyber-attacks\r\nReport shows failures at eight US agencies in following cyber-security protocols\r\nUS launches cyber-attack aimed at Iranian rocket and missile systems\r\nGermany to publish standard on modern secure browsers\r\nGermany and the Netherlands to build the first ever joint military internet\r\nHow Estonia became an e-government powerhouse TechRepublic\r\nSri Lanka blocks social media after deadly Easter explosions CNET\r\nSource: https://www.zdnet.com/article/us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability/\r\nhttps://www.zdnet.com/article/us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zdnet.com/article/us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability/" ], "report_names": [ "us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434020, "ts_updated_at": 1775792043, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/76dfb7e5ccd50334a166d4e5f0920e8aaf19d416.pdf", "text": "https://archive.orkl.eu/76dfb7e5ccd50334a166d4e5f0920e8aaf19d416.txt", "img": "https://archive.orkl.eu/76dfb7e5ccd50334a166d4e5f0920e8aaf19d416.jpg" } }