Microsoft says multiple threat actors, including ransomware affiliates, are targeting the recently patched Windows MSHTML remote code execution security flaw.
In the savage exploitation of this vulnerability (spotted as CVE-2021-40444) started on August 18 according to the company, more than two weeks before Microsoft issued a security advisory with a partial workaround.
According to telemetry data analyzed by security analysts from the Microsoft 365 Defender Threat Intelligence team and the Microsoft Threat Intelligence Center (MSTIC), the small number of initial attacks (less than 10) used Office documents crafted from malicious way.
These attacks targeted bug CVE-2021-40444 “as part of an initial access campaign that distributed custom Cobalt Strike Beacon magazines.”
Beacons deployed on at least one victim’s network communicated with malicious infrastructure linked to several cybercrime campaigns, including human-operated ransomware.
Some of the Cobalt Strike infrastructure used in the August CVE-2021-40444 attacks has also been used in the past to deliver BazaLoader and Trickbot payloads – activity overlapping with that associated with the DEV-0193 activity cluster, tracked by Mandiant as UNC1878, aka WIZARD SPIDER / RYUK according to RiskIQ.
The delivered payloads also overlapped with DEV-0365, a cluster of activities associated with infrastructure possibly used as a Cobalt Strike Command and Control (C2) Service (CS-C2aaS) for other groups.
Exploited by ransomware gangs after public disclosure
Microsoft also observed a massive increase in exploit attempts within 24 hours of the CVE-2021-40444 advisory being issued.
“Since the public disclosure, Microsoft has observed multiple threat actors, including ransomware-as-a-service affiliates, adopt publicly disclosed proof-of-concept code into their toolkits,” the researchers added.
“Microsoft continues to monitor the situation and work to decouple testing from actual exploitation.”
Justin Warner, MSTIC Threat Intelligence Analyst added that other threat groups and actors will likely continue to add CVE-2021-40444 exploits to their arsenals in the days and weeks to come.
Microsoft recommends immediately applying security updates CVE-2021-40444 released with Patch Tuesday September 2021 to block incoming attacks.
CVE-2021-40444 affects systems running Windows Server 2008 through 2019 and Windows 8.1 or later, and its severity level is 8.8 out of 10 maximum.
Security updates released by Microsoft address the vulnerability for all affected Windows versions and include a Monthly totala Security update onlyAnd one Internet Explorer Cumulative Update.
BleepingComputer has independently confirmed that known CVE-2021-40444 exploits no longer work after applying the September 2021 security patches.
To reduce the attack surface, customers who cannot apply security updates should implement Workarounds from Microsoft (disabling ActiveX controls via Group Policy and preview in Windows Explorer).
Comments are closed.