facebook no scriptWindows MSHTML Patched RCE Vulnerability CVE-2021-40444 yet again under active exploitation | Secure Blink
Microsoft
RCE
Windows MSHTML
Windows MSHTML Patched RCE Vulnerability CVE-2021-40444 yet again under active exploitation
Windows MSHTML remote code execution vulnerability (CVE-2021-40444) that has been recently patched found heavily exploited says Microsoft...
thumbnail
Team SecureBlink
16 Sept 2021
3 min read

Microsoft warns about the recently patched Windows MSHTML remote code execution vulnerability tracked (CVE-2021-40444) that has been under active exploitation by multiple threat actors including ransomware operators in an ongoing adversary campaign against companies


According to Microsoft, these adversaries engaged in targeting this vulnerability even before they published remediation for the flaw. Threat actors used weaponized Office documents. They accessed documents available on file-sharing sites to create emails that looked like contracts and legal agreements.


"A small number (less than 10) of attacks were found in August by Microsoft Threat Intelligence Center (MSTIC) that attempted to exploit remote code execution vulnerability in MSHTML utilizing Microsoft Office documents that were developed in particular. The vulnerability, identified as CVE-2021-40444, was utilized as a part of a first campaign to distribute bespoke Cobalt Strike Beacon loaders." Mentioned in the Microsoft-published post.


"These loaders communicated with a numerous cybercriminal campaign infrastructure associated with Microsoft, including human ransomware."


Experts discovered that loaders used in assaults on the C2 infrastructure were linked to a host of cybercrime schemes, including ransomware operators.


cve-2021-40444-attacks

DEV-0365, which shares numerous similarities with another Cobalt Strike infrastructure, suggests it was handled by a third-party threat actor, according to MSTIC experts.


"Furthermore, the BazaLoader and Trickbot Payloads activity that overlaps with Microsoft tracking groups such as DEV-0193 was also involved in portions of the infrastructure that housed the oleObjects used in the August 2021 attacks abusing CVE-2021-40444. Activities DEV-0193 intersect with activity recorded by Mandiant under the UNC1878."


"Because of the uncertainty surrounding the shared nature of the DEV-0365 infrastructure and the significant variety in malicious activities, the MSTIC clustered independently under DEV-0413 the initial email campaign operations detected as CVE-2021-40444."


CVE-2021-40444-exploitation

Following the release of a temporary fix on September 7, 2021, Microsoft observed an increase in exploitation attempts within 24 hours continuing to monitor the development of these ongoing attacks in the wild and advised their customers to install the September 2021 Patch Tuesday security updates in order to avoid the exploitation of CVE-2021-40444.