3 June 2022

Hackers use recently disclosed Windows MSDT zero-day in attacks targeting state bodies in Ukraine


Hackers use recently disclosed Windows MSDT zero-day in attacks targeting state bodies in Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new malicious campaign that exploits two Windows zero-day vulnerabilities in order to infect networks belonging to Ukrainian government agencies with the Cobalt Strike Beacon malware.

Cobalt Strike is a paid penetration testing product that allows threat actors to deploy an agent named 'Beacon' on the victim machine. Beacon’ functionality includes (but not limited to) command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement.

The observed campaign involves phishing emails with the subject “Зміни оплата праці з нарахуваннями” (“Salary changes with accruals”) with an attachment in the form of a malicious Microsoft Word document, which contains a link to an HTML file. Once the document is opened, JavaScript code is executed on the machine, which triggers the exploitation of the CVE-2021-40444 and CVE-2022-30190 vulnerabilities, and ultimately leads to the download of Cobalt Strike Beacon onto a compromised computer.

CVE-2021-40444 is an RCE vulnerability within the Windows MSHTML component. It allows a remote hacker to execute code on a victim machine using a specially crafted Office document with a malicious ActiveX control inside.

CVE-2022-30190 is a recently disclosed issue affecting the Microsoft Windows Support Diagnostic Tool (MSDT). It allows a remote attacker to execute arbitrary shell commands on the target system. At present, there is no fix available for this bug.

CERT-UA’s advisory also includes Indicators of Compromise (IoCs) related to this campaign.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024