3 June 2022

Hackers use recently disclosed Windows MSDT zero-day in attacks targeting state bodies in Ukraine


Hackers use recently disclosed Windows MSDT zero-day in attacks targeting state bodies in Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new malicious campaign that exploits two Windows zero-day vulnerabilities in order to infect networks belonging to Ukrainian government agencies with the Cobalt Strike Beacon malware.

Cobalt Strike is a paid penetration testing product that allows threat actors to deploy an agent named 'Beacon' on the victim machine. Beacon’ functionality includes (but not limited to) command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement.

The observed campaign involves phishing emails with the subject “Зміни оплата праці з нарахуваннями” (“Salary changes with accruals”) with an attachment in the form of a malicious Microsoft Word document, which contains a link to an HTML file. Once the document is opened, JavaScript code is executed on the machine, which triggers the exploitation of the CVE-2021-40444 and CVE-2022-30190 vulnerabilities, and ultimately leads to the download of Cobalt Strike Beacon onto a compromised computer.

CVE-2021-40444 is an RCE vulnerability within the Windows MSHTML component. It allows a remote hacker to execute code on a victim machine using a specially crafted Office document with a malicious ActiveX control inside.

CVE-2022-30190 is a recently disclosed issue affecting the Microsoft Windows Support Diagnostic Tool (MSDT). It allows a remote attacker to execute arbitrary shell commands on the target system. At present, there is no fix available for this bug.

CERT-UA’s advisory also includes Indicators of Compromise (IoCs) related to this campaign.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!

Back to the list

Latest Posts

Cyber Security Week In Review: December 1, 2023

Cyber Security Week In Review: December 1, 2023

The world in brief: Apple, Google fix WebKit, Chrome zero-days, Qlik Sense bugs exploited by Cactus ransomware, and more.
1 December 2023
New GoTitan botnet exploits recently patched Apache ActiveMQ flaw

New GoTitan botnet exploits recently patched Apache ActiveMQ flaw

GoTitan is designed for launching DDoS attacks via protocols such as HTTP, UDP, TCP, and TLS.
30 November 2023
US sanctions Sindbad crypto mixer allegedly used by North Korea’s Lazarus hackers

US sanctions Sindbad crypto mixer allegedly used by North Korea’s Lazarus hackers

The authorities described the service as “a key money-laundering tool” of Lazarus.
30 November 2023