July 29, 2024 at 05:45PM
A new red team post-exploitation framework named “Specula” released by TrustedSec turns Microsoft Outlook into a C2 beacon to execute code remotely. This framework bypasses security features and allows attackers to run arbitrary commands on compromised Windows systems. The CVE-2017-11774 vulnerability is exploited, making it a persistent and impactful threat.
The meeting notes detail the newly released Specula red team post-exploitation framework by TrustedSec, which leverages a vulnerability in Microsoft Outlook to remotely execute code. This framework involves creating a custom Outlook home page using WebView and exploiting the CVE-2017-11774 security feature bypass vulnerability that was patched in October 2017. Despite the patch, attackers can still create malicious home pages using Windows Registry values, even on systems with the latest Office 365 builds.
Specula runs purely in Outlook’s context by setting a custom Outlook home page via registry keys that call out to an interactive Python web server. This allows non-privileged threat actors to set a URL target in Outlook’s WebView registry entries to an external website under their control, enabling the execution of arbitrary commands on compromised Windows systems.
The meeting notes also mention that once the Outlook Registry entry is configured, attackers can use this technique for persistence and to spread laterally to other systems. This technique is concerning as outlook.exe is a trusted process, making it easier for attackers to evade existing software as commands are executed.
Furthermore, the CVE-2017-11774 Outlook vulnerability has been used to target U.S. government agencies and has been linked to the Iranian-sponsored APT33 cyber espionage group. APT34 and APT33 have both utilized this vulnerability in their respective campaigns.
In summary, the meeting notes provide a comprehensive overview of the Specula red team post-exploitation framework, its exploitation of the Outlook vulnerability, and its association with cyber espionage groups targeting government agencies.