Summary

Last week, Microsoft reported the remote code executing vulnerability CVE-2 021 -4 0444 in the MSHTML browser engine. According to the company, this vulnerability has already been used in targeted attacks against Microsoft Office customers. In attempt to exploit this vulnerability, attackers create a document with a specially-crafted object. If a consumer opens the document, MS Office will download and execute a malicious script. Accord to our data, the same attempts are still happening all over the world. We are currently determining attempts to exploit the CVE-2 021 -4 0444 vulnerability targeting companies in the research and development sector, the energy sector and large industrial sectors, banking and medical technology development sectors, as well as telecommunications and the IT sector. Due to its ease of exploitation and the few published Proof-of-Concept( PoC ), we expect to see an increase in assaults applying this vulnerability.

Geography of CVE-2 021 -4 0444 exploitation attempts

Kaspersky is aware of targeted attacks employing CVE-2 021 -4 0444, and our products protect against assaults leveraging the vulnerability. Possible detection names are 😛 TAGEND

HEUR: Exploit.MSOffice.CVE-2 021 -4 0444. a HEUR:Trojan.MSOffice.Agent.gen PDM: Exploit.Win3 2. Generic

Killchain has brought about KEDR during executing of CVE-2 021 -4 0444 Proof-of-Concept

Experts at Kaspersky are monitoring the situation closely and improvement of mechanisms to detect this vulnerability use Behavior Detection and Exploit Prevention components. Within our Managed Detection and Response service, our SOC experts are able to detect when this vulnerability is expoited, investigate such strikes and apprise customers.

Technical details

The remote code execution vulnerability CVE-2 021 -4 0444 was found in MSHTML, the Internet Explorer browser engine which is a component of modern Windows systems, both customer and server. Furthermore, the engine is often used by other programs to work with web content( e.g. MS Word or MS PowerPoint ). In ordering to exploit the vulnerability, attackers embed a special object in a Microsoft Office record containing an URL for a malicious script. If a victim opens the document, Microsoft Office will download the malicious script from the URL and run it using the MSHTML engine. Then the script can use ActiveX controls to perform malicious activities on the victim’s computer. For example, the original zero-day exploit which was used in targeted attacks at the time of detection utilized ActiveX controls to download and execute a Cobalt Strike warhead. We are currently discovering various types of malware, mostly backdoors, which are delivered by exploiting the CVE-2 021 -4 0444 vulnerability.

Mitigations Follow Microsoft security update guidelines . Use the latest Threat Intelligence information to keep up to date with TTPs used by threat actors. Busines should use a security solution that offer vulnerability, spot management and exploit prevention ingredients, such as the Automatic Exploit Prevention ingredient in Kaspersky Endpoint Security for Business. The component monitors suspicious actions in applications and blocks malicious file executing. Employ solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response service, which help identify and stop an attack at an early stage before the attackers achieve their final goal.

IoC

MD5 ef3 2824 c7388a848c263deb4c360fd64 e5 8b75e1f588508de7c15a35e2553b86 e8 9dbc1097cfb8591430ff93d9952260

URL hidusi [.] com 103. 231.14 [.] 134

Read more: securelist.com