Cybersecurity firm TrustedSec has introduced “Specula,” a framework aimed at post-exploitation stages and targeting Microsoft Outlook. Microsoft says the tool exploits the CVE-2017-11774 vulnerability, allowing remote code execution through Windows Registry manipulation, despite an October 2017 patch by Microsoft. Attackers still exploit this flaw by altering specific registry settings.
Mechanisms Behind Specula
Specula configures a customized Outlook home page via certain Windows registry keys, redirecting Outlook to an attacker-controlled site. It modifies keys under HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\WebView\, facilitating the display of VBScript files that can execute arbitrary commands on the affected machine.
Once a system is compromised, attackers employ Specula to secure persistence and lateral movement within a network. Since Outlook.exe is a trusted process, this approach avoids detection by most security tools. The methodology has been used previously by the APT33 group, linked to Iranian state interests, to breach U.S. government systems, as noted by security experts from Chronicle, FireEye, and Palo Alto Networks.
Historical Usage and Current Threats
The CVE-2017-11774 vulnerability has a record of being exploited for cyber-espionage efforts. Initially identified by SensePost researchers, the flaw allows for circumvention of the Outlook security framework via home page URL redirection to a malicious site. Although Microsoft removed the interface for setting Outlook home pages, attackers continue to exploit this using registry values.
Various iterations of Microsoft Outlook, including versions 2010, 2013, and 2016, are impacted by this vulnerability. Microsoft’s security updates aimed to block home page setting modifications through registry changes, yet the threat lingers due to unpatched systems or novel manipulation techniques.
Security Recommendations for Organizations
Organizations should ensure the application of recent security updates and additional protective measures like monitoring registry changes and limiting user privileges. TrustedSec’s Specula framework brings attention to ongoing risks related to this vulnerability, emphasizing the need for solid security practices to mitigate potential threats.
Last Updated on November 7, 2024 3:28 pm CET