Windows MSHTML bug used in ransomware attacks, Microsoft says

Multiple cyber threat actors, including ransomware operators and nation state hackers, have been exploiting a recently patched Windows MSHTML vulnerability as part of initial access campaigns that deployed custom Cobalt Strike Beacon loaders, Microsoft Threat Intelligence Center (MSTIC) said in a new report detailing the attacks.

The vulnerability in question is an improper input validation issue (CVE-2021-40444) within the MSHTML component that allows a remote attacker to execute arbitrary code on the target system by tricking a user into opening a malicious Microsoft Office document containing a malicious ActiveX control.

CVE-2021-40444 affects systems running Windows Server 2008 through 2019 and Windows 8.1 or later.

In the wild exploitation of CVE-2021-40444 began on August 18, Microsoft said. The company said it observed the small number of initial attacks (less than 10) using maliciously crafted Office documents.

“While these attacks used a vulnerability to access entry point devices and run highly-privileged code, the secondary actions taken by the attackers still rely on stealing credentials and moving laterally to cause organization-wide impact,” the MSTIC team explains.

According to Microsoft’s RiskIQ subsidiary, some of the network infrastructure (which Microsoft linked to the DEV-0365 cluster of activity) used in the CVE-2021-40444 attacks was previously used by the Wizard Spider cybercriminal group (believed to be the Russia-based operator of the TrickBot banking malware), as well as UNC1878 (DEV-0193) and Ryuk threat actors to deploy Ryuk/Conti and BazaLoader/BazarLoader malware in targeted ransomware campaigns.

“At least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack. It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure,” Microsoft said.

The tech giant also observed a massive increase in exploitation attempts within 24 hours after the CVE-2021-40444 advisory was released.

Users are advised to apply the CVE-2021-40444 security updates released as part of the September 2021 Patch Tuesday to block incoming attacks.

Scroll to Top