CVE-2017-0199 CVE-2017-0199 is a vulnerability in Microsoft Office that allows remote attackers to execute arbitrary code via a crafted document. In 2020, a campaign attributed to North Korea targeting American and European defense and aerospace industries, was spotted abusing the CVE-2017-0199. 30 Also, like CVE-2017-11882 mentioned above, CVE-2017-0199 is also one of the Top Ten flaws exploited by nation-state actors from China, North Korea, Russia and Iran. Among nation-state groups spotted exploiting this CVE: 1. The Chinese TA459 group. 31 According to researchers, they targeted major financial firms. 2. The Gaza Cybergang group. 32 The group abused this CVE in attacks against government, and oil and gas organizations in the Middle East. 3. The Iranian APT 34 (aka OilRig). 33 They abused this CVE, while targeting multiple Israeli organizations. In addition, both flaws were sometimes detected abused in same campaigns, such as the phishing campaign that targeted Ukrainian users in 2018. 34 https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/ https://securityaffairs.co/wordpress/58692/apt/ta459-apt-targets-financial-firms.html https://securelist.com/gaza-cybergang-updated-2017-activity/82765/ https://www.securityweek.com/iranian-cyberspies-exploit-recently-patched-office-flaw; https://securelist.com/apt-trends-report-q2-2017/79332/ https://www.zdnet.com/article/hacking-campaign-uses-old-microsoft-office-flaws-to-create-backdoors-steal-files/ 32. 33. 34. 30. 31. 10 Vulnerability Threat Intelligence Report