Microsoft warns of attacks exploiting recently patched Windows MSHTML CVE-2021-40444 bug

Pierluigi Paganini September 16, 2021

Microsoft revealed that multiple threat actors are exploiting the recently patched Windows MSHTML remote code execution security flaw (CVE-2021-40444).

Microsoft warns of multiple threat actors, including ransomware operators, that are exploiting the recently patched Windows MSHTML remote code execution security flaw (CVE-2021-40444) in attacks against organizations.

The IT giant says that threat actors started targeting this issue on August 18, before Microsoft shared mitigation for this vulnerability, threat actors used weaponized Office documents. The campaigns observed August 2021 likely employed emails impersonating contracts and legal agreements, the messages used documents that were hosted on file-sharing sites. 

“In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders.” reads the post published by Microsoft. “These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.”

Experts noticed that loaders employed in the attacks connected with the C2 infrastructure connected with several cybercrime campaigns, including ransomware operators.

cve-2021-40444 attacks

MSTIC researchers track a large cluster of malicious activity involving Cobalt Strike infrastructure under the name DEV-0365, which has many similarities with another Cobalt Strike infrastructure that suggest it was managed by a third-party threat actor. 

“Additionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads — activity that overlaps with a group Microsoft tracks as DEV-0193. DEV-0193 activities overlap with actions tracked by Mandiant as UNC1878.” continues the report. “Due to the uncertainty surrounding the nature of the shared qualities of DEV-0365 infrastructure and the significant variation in malicious activity, MSTIC clustered the initial email campaign exploitation identified as CVE-2021-40444 activity separately, under DEV-0413.”

On September 7, 2021, Microsoft shared a partial workaround for the flaw, and only in 24 hours they observed a rise in exploitation attempts within.

CVE-2021-40444 exploitation

Microsoft continues to monitor the evolution of the attacks in the wild and urges customers to apply the September 2021 Patch Tuesday security updates to prevent the exploitation of CVE-2021-40444.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment