3 June 2022

Hackers use recently disclosed Windows MSDT zero-day in attacks targeting state bodies in Ukraine


Hackers use recently disclosed Windows MSDT zero-day in attacks targeting state bodies in Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new malicious campaign that exploits two Windows zero-day vulnerabilities in order to infect networks belonging to Ukrainian government agencies with the Cobalt Strike Beacon malware.

Cobalt Strike is a paid penetration testing product that allows threat actors to deploy an agent named 'Beacon' on the victim machine. Beacon’ functionality includes (but not limited to) command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement.

The observed campaign involves phishing emails with the subject “Зміни оплата праці з нарахуваннями” (“Salary changes with accruals”) with an attachment in the form of a malicious Microsoft Word document, which contains a link to an HTML file. Once the document is opened, JavaScript code is executed on the machine, which triggers the exploitation of the CVE-2021-40444 and CVE-2022-30190 vulnerabilities, and ultimately leads to the download of Cobalt Strike Beacon onto a compromised computer.

CVE-2021-40444 is an RCE vulnerability within the Windows MSHTML component. It allows a remote hacker to execute code on a victim machine using a specially crafted Office document with a malicious ActiveX control inside.

CVE-2022-30190 is a recently disclosed issue affecting the Microsoft Windows Support Diagnostic Tool (MSDT). It allows a remote attacker to execute arbitrary shell commands on the target system. At present, there is no fix available for this bug.

CERT-UA’s advisory also includes Indicators of Compromise (IoCs) related to this campaign.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!

Back to the list

Latest Posts

Exploit code published online for a critical VMware vulnerability

Exploit code published online for a critical VMware vulnerability

A proof-of-concept code for the vulnerability along with technical analysis has been published by a security researcher.
10 August 2022
Cloudflare employees also targeted by SMS phishing attack

Cloudflare employees also targeted by SMS phishing attack

The company says that the attack occurred around the same time as Twilio was attacked and was similar in nature.
10 August 2022
Microsoft fixes yet another MSTD zero-day exploited in the wild

Microsoft fixes yet another MSTD zero-day exploited in the wild

Microsoft had been aware of the DogWalk vulnerability for nearly two years, but deemed it not a security issue.
10 August 2022