CVE-2017-0199

Vulnerability Profile Updated 2 months ago
Download STIX
Preview STIX
CVE-2017-0199 is a notable software vulnerability, specifically a flaw in the design or implementation of Microsoft Office's Object Linking and Embedding (OLE) feature. This vulnerability has been exploited over the years to spread various notorious malware families. In 2017, it was used to disseminate Dridex, a sophisticated strain of banking malware. By 2021, the same vulnerability had been exploited to spread Guloader, another malicious software designed to download and install additional malware onto infected systems. The impact of CVE-2017-0199 has been widespread and significant. It has been employed by various threat actors, including Advanced Persistent Threat (APT) groups such as APT34. Over time, these groups have quickly incorporated exploits for this vulnerability into their arsenal, targeting organizations primarily in the Middle East. Despite not observing much high-end activity from Middle Eastern actors, two reports were produced highlighting the use of this zero-day exploit in cyber operations in the region. In response to the ongoing threats posed by this vulnerability, Network Security Platform (NSP) customers have received new signatures related to the "HTTP: Microsoft Office OLE Arbitrary Code Execution Vulnerability (CVE-2017-0199)" attack. These updates aim to provide better protection against attacks exploiting this vulnerability, ensuring that users' systems are safeguarded against potential breaches.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Fireeye
Exploit
Microsoft
Malware
Exploits
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RamsayUnspecified
1
Ramsay is a sophisticated malware that was discovered by researchers at ESET in 2020. This malicious software is designed to infiltrate and exploit air-gapped networks, which are typically isolated from other networks for security reasons. Once it has infected a system, Ramsay can collect and exfilt
ZeroTUnspecified
1
ZeroT is a malicious software (malware) that was first discovered in 2016, designed to exploit and damage computer systems. It primarily infiltrated victims' machines through Trojan-infected Word documents attached to emails. One notable instance involved the CHM file 20160621.chm, which dropped the
PlugXUnspecified
1
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
POWRUNERUnspecified
1
Powruner is a malicious software (malware) associated with other malware such as POWBAT and BONDUPDATER, and it's utilized by the Advanced Persistent Threat group APT34. The malware is designed to exploit and damage computer systems, often infiltrating via suspicious downloads, emails, or websites.
BONDUPDATERUnspecified
1
BondUpdater is a malware first discovered by FireEye in mid-November 2017, when APT34 targeted a Middle Eastern governmental organization. This PowerShell-based Trojan is associated with other malicious programs such as POWBAT and POWRUNER. BondUpdater contains basic backdoor functionality that allo
DridexUnspecified
1
Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o
GuLoaderUnspecified
1
GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
FinspyUnspecified
1
FinSpy is a sophisticated malware developed by Gamma Group, also known as FinFisher or Lench IT Solutions. This malicious software has the ability to record audio, turn on the device's camera, and exfiltrate data from smartphones without the owner's awareness. It is typically delivered through explo
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Gorgon GroupUnspecified
1
The Gorgon Group is a threat actor known for its cybercriminal activities, with a particular focus on financial fraud and cybercrime. They also engage in targeted attacks against government organizations, including entities in Russia, Spain, the UK, and the US. The group uses Bitly for distribution
OilRigUnspecified
1
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
APT40Unspecified
1
APT40, also known as Red Ladon or IslandDreams, is a China-linked cyber espionage group that typically targets countries strategically important to China's Belt and Road Initiative. The group has been observed using at least 51 different code families, with its attack vectors often involving spear-p
MuddyWaterUnspecified
1
MuddyWater is a notable threat actor, officially linked to Iran's Ministry of Intelligence and Security (MOIS) by the US Cyber Command (USCYBERCOM) in January 2022. The group earned its name 'MuddyWater' due to the confusion in attributing a wave of attacks that occurred between February and October
GamaredonUnspecified
1
Gamaredon is a threat actor, or hacking team, believed to be Russian in origin and has been actively tracked since 2013. The group primarily targets Ukraine using malicious documents that deliver a range of home-brewed malware. The European Union's Computer Emergency Response Team (EU CERT) cites Ga
APT34Unspecified
1
APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2017-11882Unspecified
2
CVE-2017-11882 is a software vulnerability present in Microsoft's Equation Editor, allowing for the execution of malicious code. This vulnerability was exploited by a tool known as Royal Road, which is shared among various Chinese state-sponsored groups. The tool facilitates the creation of harmful
Source Document References
Information about the CVE-2017-0199 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Checkpoint
4 months ago
12th February – Threat Intelligence Report - Check Point Research
MITRE
a year ago
APT40: Examining a China-Nexus Espionage Actor | Mandiant
MITRE
a year ago
The Gorgon Group: Slithering Between Nation State and Cybercrime
CERT-EU
10 months ago
Years-old Microsoft bugs are still hot targets for criminals
MITRE
6 months ago
Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? | McAfee Blog
MITRE
a year ago
Leviathan: Espionage actor spearphishes maritime and defense targets | Proofpoint US
CERT-EU
a year ago
Loader activity for Formbook "QM18", (Wed, Jul 12th) – Cyber Safe NV
Checkpoint
4 months ago
Maldocs ­of Word and Excel: Vigor of the Ages - Check Point Research
MITRE
a year ago
The Trail of BlackTech’s Cyber Espionage Campaigns
MITRE
a year ago
Ukraine links members of Gamaredon hacker group to Russian FSB
MITRE
a year ago
Mustang Panda | Threat Actor Profile | CrowdStrike
MITRE
a year ago
FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY | Mandiant
Securelist
a year ago
Non-mobile malware statistics, Q1 2023
MITRE
a year ago
New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit | Mandiant
Securelist
7 months ago
PC malware statistics, Q3 2023
MITRE
a year ago
Analysis of Ramsay components of Darkhotel's infiltration and isolation network - Programmer Sought
Securelist
a year ago
Kaspersky crimeware report: Emotet, DarkGate and LokiBot
MITRE
a year ago
OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
Securityaffairs
2 months ago
Targeted operation against Ukraine exploited 7-year-old MS Office bug
InfoSecurity-magazine
a year ago
Cyber-Attacks Targeting Government Agencies Increase 40%