National Cyber Warfare Foundation (NCWF) Forums


New Specula Tool Turning Outlook as a C2 Server by Leveraging Registry


0 user ratings
2024-07-31 12:32:44
milo
Red Team (CNA)

 - archive -- 

Cybersecurity firm TrustedSec has unveiled a powerful new tool called Specula. It exploits a longstanding vulnerability in Microsoft Outlook to transform it into a Command and Control (C2) server. This revelation has sent shockwaves through the cybersecurity community, highlighting a persistent weak point in many corporate networks. The Specula Framework Specula leverages a seemingly innocuous […]


The post New Specula Tool Turning Outlook as a C2 Server by Leveraging Registry appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Cybersecurity firm TrustedSec has unveiled a powerful new tool called Specula. It exploits a longstanding vulnerability in Microsoft Outlook to transform it into a Command and Control (C2) server.





This revelation has sent shockwaves through the cybersecurity community, highlighting a persistent weak point in many corporate networks.





The Specula Framework





Specula leverages a seemingly innocuous Registry change to modify Outlook’s behavior, becoming a beaconing C2 agent. Although this technique has been reported in the past, many organizations continue to overlook it.





TrustedSec’s release of Specula aims to bring more attention to this vulnerability and encourage the development of robust preventions.





Setting the Registry Value
Setting the Registry Value




The ability to exploit the Outlook home page feature was initially reported under CVE-2017-11774.





How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide





Although Microsoft issued patches that removed the UI elements for setting a custom home page, the underlying Registry values remained functional.





This oversight allows attackers to set a custom home page via Registry keys, enabling the execution of malicious scripts within Outlook.





When a custom home page is set through specific registry keys, Outlook downloads and displays an HTML page instead of the standard mailbox elements.





This HTML page can run VBScript or JScript within a privileged context, granting attackers significant control over the local system. Specula automates this process, allowing for continuous command execution without manual intervention.





Preventing Home Page Attacks





New Outlook
New Outlook




To mitigate this threat, TrustedSec recommends several measures:






  1. Adopt the New Outlook: The new version operates as a packaged web page, lacking compatibility with COM extensions and effectively removing the exploit vector.




  2. Disable VBScript: Future versions of Windows 11 will allow the removal of the VBScript engine, crippling this attack vector.




  3. Use Group Policy Object (GPO): Configure GPO to disable WebView and prevent users from setting custom home pages.




  4. Leverage Microsoft Security Compliance Toolkit: This toolkit can lock down Outlook’s web engine, preventing script execution.





Outlook Today - Disabled Setting
Outlook Today – Disabled Setting




Detecting Home Page Attacks





Organizations should monitor the Registry for URL values under specific keys related to Outlook’s WebView feature. These keys include:






  • HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Inbox




  • HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Calendar




  • HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Contacts




  • And similar keys for other Outlook versions and folders.





The release of Specula by TrustedSec underscores the importance of vigilance in cybersecurity.





While the tool powerfully reminds us of potential risks, it also calls on organizations to review and strengthen their defenses against such vulnerabilities.





As the cybersecurity landscape continues to evolve, staying informed and proactive is crucial to safeguarding sensitive information and maintaining network integrity.





Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access


The post New Specula Tool Turning Outlook as a C2 Server by Leveraging Registry appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Source: gbHackers
Source Link: https://gbhackers.com/new-specula-tool-turning-outlook/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.