17 September 2021

Windows MSHTML bug used in ransomware attacks, Microsoft says


Windows MSHTML bug used in ransomware attacks, Microsoft says

Multiple cyber threat actors, including ransomware operators and nation state hackers, have been exploiting a recently patched Windows MSHTML vulnerability as part of initial access campaigns that deployed custom Cobalt Strike Beacon loaders, Microsoft Threat Intelligence Center (MSTIC) said in a new report detailing the attacks.

The vulnerability in question is an improper input validation issue (CVE-2021-40444) within the MSHTML component that allows a remote attacker to execute arbitrary code on the target system by tricking a user into opening a malicious Microsoft Office document containing a malicious ActiveX control.

CVE-2021-40444 affects systems running Windows Server 2008 through 2019 and Windows 8.1 or later.

In the wild exploitation of CVE-2021-40444 began on August 18, Microsoft said. The company said it observed the small number of initial attacks (less than 10) using maliciously crafted Office documents.

“While these attacks used a vulnerability to access entry point devices and run highly-privileged code, the secondary actions taken by the attackers still rely on stealing credentials and moving laterally to cause organization-wide impact,” the MSTIC team explains.

According to Microsoft's RiskIQ subsidiary, some of the network infrastructure (which Microsoft linked to the DEV-0365 cluster of activity) used in the CVE-2021-40444 attacks was previously used by the Wizard Spider cybercriminal group (believed to be the Russia-based operator of the TrickBot banking malware), as well as UNC1878 (DEV-0193) and Ryuk threat actors to deploy Ryuk/Conti and BazaLoader/BazarLoader malware in targeted ransomware campaigns.

“At least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack. It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure,” Microsoft said.

The tech giant also observed a massive increase in exploitation attempts within 24 hours after the CVE-2021-40444 advisory was released.

Users are advised to apply the CVE-2021-40444 security updates released as part of the September 2021 Patch Tuesday to block incoming attacks.

Back to the list

Latest Posts

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin is active since at least 2016 and is focused on Linux and Solaris servers, only interacting with Windows systems as needed.
20 October 2021
Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Attempted attacks come days after a massive ransomware attack on Hillel Yaffe Medical Center, attributed to the DeepBlueMagic group.
19 October 2021
State-sponsored hackers target orgs in South Asia with custom backdoor

State-sponsored hackers target orgs in South Asia with custom backdoor

Harvester has been observed using both custom malware and publicly available tools, such as Cobalt Strike Beacon and Metasploit, in their attacks.
19 October 2021