The recently fixed Windows MSHTML remote code execution security hole is being targeted by numerous threat actors, including ransomware associates, according to Microsoft.
According to the firm, the vulnerability (recorded as CVE-2021-40444) was first exploited in the wild on August 18, more than two weeks before Microsoft released a security warning with a partial fix.
The limited number of first attacks (less than 10) employed maliciously designed Office documents, according to telemetry data reviewed by security researchers at the Microsoft 365 Defender Threat Intelligence Team and the Microsoft Threat Intelligence Center (MSTIC).
“As part of an early access effort that delivered modified Cobalt Strike Beacon loaders,” these assaults targeted the CVE-2021-40444 issue.
Beacons installed on at least one victim’s network interacted with malicious equipment linked to a variety of cybercrime activities, including ransomware run by humans.
Some of the Cobalt Strike infrastructure utilized in the August CVE-2021-40444 assaults was also used in the past to deliver BazaLoader and Trickbot payloads, overlapping with the DEV-0193 activity cluster, which Mandiant is tracking as UNC1878, alias WIZARD SPIDER / RYUK according to RiskIQ.
The payloads sent also overlapped with DEV-0365, an activity cluster connected with infrastructure that could be utilized by other parties as a Cobalt Strike command-and-control (C2) service (CS-C2aaS).
Ransomware gangs took advantage of the vulnerability once it was made public.
Within 24 hours of the CVE-2021-40444 warning being released, Microsoft saw a huge spike in exploitation efforts.
“Since the public exposure, Microsoft has noticed a number of threat actors, including ransomware-as-a-service affiliates, incorporating publicly published proof-of-concept malware into their toolkits,” the researchers said.
“Microsoft is keeping a close eye on the situation and is working to separate testing from actual exploitation.”
Other attack organizations and actors will likely continue to add CVE-2021-40444 vulnerabilities to their arsenal in the coming days and weeks, according to Justin Warner, an MSTIC Threat Intelligence analyst.
To protect against incoming threats, Microsoft advises installing the CVE-2021-40444 security patches published during Patch Tuesday in September 2021.
CVE-2021-40444 affects systems running Windows Server 2008 through 2019 and Windows 8.1 or later, with a severity rating of 8.8 out of ten.
Microsoft’s security patches include a Monthly Rollup, a Security Only update, and an Internet Explorer cumulative update that fix the issue for all vulnerable Windows versions.
After implementing the September 2021 security updates, known CVE-2021-40444 vulnerabilities no longer function, according to BleepingComputer.
Customers that are unable to deploy the security updates should use Microsoft’s solutions to minimize the attack surface (disabling ActiveX controls via Group Policy and preview in Windows Explorer).