As a courtesy to the industry and any impacted organizations, the CompTIA ISAO is providing complimentary access to our Active Exploits Discussion/Recommendations forum. All related threat reports and discussion items will be posted to these threads. We all need to work together to help businesses better understand the threat landscape and prepare for attacks, current and future.
Thanks MJ and Matthew, this is concerning but there are quite a few pre-requisites or conditions -- if you will that must bet met before actual exploitation can occur.
I was reviewing this as it was released and it appears that the initial attack would require an end user to open a malicious ActiveX control delivered via an Microsoft Office document before the vulnerability can be leveraged in an attack, " Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents, (Microsoft, 2021)."
I consider this threat similar to those where malware is delivered through typical phishing attacks. We have observed Remote Access Trojans, Ransomware, as well various forms of malicious content delivered in email phishing campaigns that can be devastating for companies;
Remote access trojans have also been delivered through office documents via macro code and if opened could give an attacker access to the victims machine. Depending on what security controls have been installed and enabled on the users machine, an attacker could then move laterally or perform a little bit of reconnaissance before deciding what they would like to do next.
It's interesting that in Microsoft advisory, they mention security controls in a similar way, "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, (Microsoft, 2021)." This indicates that privilege's escalation may not be possible and that this exploit provides initial access primarily.
It's highly likely that if a company were targeted in one of these attacks it would be conducted in one of two ways,
Phishing/Spear-Phishing with Social Engineering or company specific targeting
I consider the mitigation for this zero-day the same as ones we have talked about for phishing attacks, as the initial attack vector requires user input from a receiving party. I would also think that it would be easier for an attacker with less effort to deliver a cobalt strike beacon or typical RAT to achieve 'more' as a result of their efforts. Quite a few RAT tools have capabilities built-in that allow privilege escalation, bypass ACL's, essentially giving the attacker a key to do whatever they would like. We will continue to follow and see what Microsoft proposes in addition to recently released work arounds.
The only thing I'd add is that researchers have found ways to exploit this vulnerability without using ActiveX or even an Office document. The vulnerability is in MSHTML, a core component of Windows, not in Office itself. The main example I've seen is a malicious RTF triggering an exploit when viewed in Windows Explorer preview mode. MSHTML is also the WebBrowser control in Skype for example, older versions of Visual Studio, Outlook, Windows Explorer, etc. Theoretically, anything using MSHTML can be exploited.
The active attack we've observed, is downloading a Cobalt Strike payload from hidusi[.]com
Has anyone found anything that can mitigate the issue currently? Nothing I have found so far points to a viable mitigation tactic. The blocking of Active X that was originally suggested doesn't mitigate the attack. I would be very thankful for any guidance.
Windows Zero-day CVE-2021-40444 is being actively exploited in attacks. The vulnerability was disclosed on Tuesday with little details and is still awaiting an official patch. The vulnerability uses malicious ActiveX controls to exploit various Windows programs including Microsoft Office 365 and Office 2019, and can be used to install malware on an impacted computer.
Several malicious Word documents used in attacks have been discovered by Security researchers, shedding some light on the vulnerability. Although mitigations have been released by Microsoft, it appears these can be bypassed.
For the most part, Microsoft Office’s “Protected View” feature will block the exploit, but if a user clicks “Enable Editing” the attack can continue.
Microsoft Office will check if a document is marked with a “Mark of the Web” (MoTW) meaning it originated from the Internet. If that tag exists, the document will open in read-only mode until a user clicks on “Enable Editing.”
There are some issues with these defenses, first of all, users may be lured into enabling editing which will allow the malicious document to run. Second, Threat actors have clever ways of making a document not have the MOTW tag, which will negate this protection.
"If the document is in a container that is processed by something that is not MotW-aware, then the fact that the container was downloaded from the Internet will be moot. For example, if 7Zip opens an archive that came from the Internet, the extracted contents will have no indication that it came from the Internet. So no MotW, no Protected View. Similarly, if the document is in a container like an ISO file, a Windows user can simply double-click on the ISO to open it. But Windows doesn't treat the contents as having come from the Internet. So again, no MotW, no Protected View. This attack is more dangerous than macros because any organization that has chosen to disable or otherwise limit Macro execution will still be open to arbitrary code execution simply as the result of opening an Office document" (Bleeping Computer, 2021).
The vulnerability can also be used in RTF files which do not benefit from the Protected View security feature.
Earlier this week Microsoft released mitigations to prevent ActiveX controls from running in Internet Explorer, which would block attacks, but security researchers have found ways to bypass these mitigations. Now that the mitigations have been bypassed, CVE-2021-40444 has become more severe than originally thought. There is hope that Microsoft will be able to release a patch by next Tuesday during their Monthly Patch Tuesday updates. In the meantime users will need to avoid phishing and social engineering attacks that exploit this vulnerability.
No patch exists for this vulnerability and mitigations have been bypassed. Until a patch or further mitigations are released, users will need to avoid falling for phishing attacks related to CVE-2021-40444.
“One of the known malicious Word attachments used in the attacks is named “A Letter before court 4.docx” and claims to be a letter from an attorney. Since the file was downloaded from the Internet, it will be tagged with the 'Mark of the Web' and opened in Protected View” (Bleeping Computer, 2021).
TrendMicro states that the ultimate payload is installing a Cobalt Strike beacon, which would allow the threat actor to gain remote access to the device. Once the attacker gains remote access to victims' computers, they can use it to spread laterally throughout the network and install further malware, steal files, or deploy ransomware.
Due to the severity of this vulnerability, it is strongly advised that users only open attachments unless they come from a trusted source.
We will continue to post updates here. There are some hopes that a patch will be released next Tuesday, but we need to be prepared that it will not. I have not seen any fool proof mitigations, but our operations team will continue to monitor. There is some solace in the fact that this vulnerability needs user interaction to be successful, but paired with the right social engineering message, users will fall for these phishing attacks. It is worth reminding users/employees not to trust suspicious documents with unknown attachments, and to be warry of "enabling editing" on documents.
Windows MSHTML Zero-Day Exploits Shared on Hacking Forums
Last Tuesday, Microsoft disclosed a new zero-day vulnerability in Windows MSHTML that allows threat actors to create malicious documents, including Office and RTF docs, to execute commands on a victim's computer remotely.
Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMON and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation.
Researchers have been able to modify the exploit not to use ActiveX, effectively bypassing Microsoft's mitigations. The mitigations worked by blocking ActiveX controls and Word/RTF document previews in Windows Explorer.
Starting on Thursday, threat actors began sharing public information about the HTML component of the exploit and how to create the malicious document. On Friday, more instructions were posted on generating the payload and a CAB file that included the path traversal vulnerability component.
On Saturday, as researchers began releasing more details on Github and Twitter, the threat actors shared further details on how to generate all aspects of the exploit.
What is worrisome is that the, “The information is simple to follow and allows anyone to create their own working version of the CVE-2021-40444 exploit, including a python server to distribute the malicious documents and CAB files, (BleepingComputer, 2021).”
The good news is that since the vulnerability was disclosed, Microsoft Defender and other security programs can detect and block malicious documents and CAB files used in this attack.
For example, you can see below Microsoft Defender blocking the exploit as 'Trojan:Win32/CplLoader.a' and 'TrojanDownloader:HTML/Donoff.SA' detections.
Microsoft has also provided the following mitigations to block ActiveX controls in Internet Explorer, the default handler for the MSHTML protocol, and block document preview in Windows Explorer, they are available here at the end of the article: