{"id":42862,"date":"2021-09-15T23:40:56","date_gmt":"2021-09-15T23:40:56","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=97563"},"modified":"2021-09-15T23:40:56","modified_gmt":"2021-09-15T23:40:56","slug":"analyzing-attacks-that-exploit-the-cve-2021-40444-mshtml-vulnerability","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/analyzing-attacks-that-exploit-the-cve-2021-40444-mshtml-vulnerability\/","title":{"rendered":"Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability"},"content":{"rendered":"

In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444<\/a>, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders. These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.<\/p>\n

The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document. Customers who enabled attack surface reduction rules<\/a> to block Office from creating child processes are not impacted by the exploitation technique used in these attacks. While these attacks used a vulnerability to access entry point devices and run highly-privileged code, the secondary actions taken by the attackers still rely on stealing credentials and moving laterally to cause organization-wide impact. This illustrates the importance of investing in attack surface reduction, credential hygiene, and lateral movement mitigations. Customers are advised to apply the security patch<\/a> for CVE-2021-40444 to fully mitigate this vulnerability.<\/p>\n

This blog details our in-depth analysis of the attacks that used the CVE-2021-40444, provides detection details and investigation guidance for Microsoft 365 Defender<\/a> customers, and lists mitigation steps for hardening networks against this and similar attacks. Our colleagues at RiskIQ conducted their own analysis<\/a> and coordinated with Microsoft in publishing this research.<\/p>\n

Exploit delivery mechanism<\/h2>\n

The initial campaigns in August 2021 likely originated from emails impersonating contracts and legal agreements, where the documents themselves were hosted on file-sharing sites. The exploit document used an external oleObject relationship to embed exploitative JavaScript within MIME HTML remotely hosted content that results in (1) the download of a CAB file containing a DLL bearing an INF file extension, (2) decompression of that CAB file, and (3) execution of a function within that DLL. The DLL retrieves remotely hosted shellcode (in this instance, a custom Cobalt Strike Beacon loader) and loads it into wabmig.exe<\/em> (Microsoft address import tool.)<\/p>\n

\"Screenshot<\/p>\n

Figure 1. The original exploit vector: an externally targeted oleObject relationship definition bearing an MHTML handler prefix pointed at an HTML file hosted on infrastructure that has similar qualities to the Cobalt Strike Beacon infrastructure that the loader\u2019s payload communicates with.<\/em><\/p>\n

Content that is downloaded from an external source is tagged by the Windows operating system with a mark of the web, indicating it was downloaded from a potentially untrusted source. This invokes Protected Mode in Microsoft Office, requiring user interaction to disable it to run content such as macros. However, in this instance, when opened without a mark of the web present, the document\u2019s payload executed immediately without user interaction \u2013 indicating the abuse of a vulnerability.<\/p>\n

\"diagram<\/p>\n

Figure 2. Attack chain of DEV-0413 campaign that used CVE-2021-40444<\/em><\/p>\n

DEV-0413 observed exploiting CVE-2021-40444<\/h2>\n

As part of Microsoft\u2019s ongoing commitment to tracking both nation state and cybercriminal threat actors, we refer to the unidentified threat actor as a \u201cdevelopment group\u201d and utilize a threat actor naming structure with a prefix of \u201cDEV\u201d to indicate an emerging threat group or unique activity during the tracking and investigation phases before MSTIC reaches high confidence about the origin or identity of the actor behind an operation. MSTIC tracks a large cluster of cybercriminal activity involving Cobalt Strike infrastructure under the name DEV-0365.<\/p>\n

The infrastructure we associate with DEV-0365 has several overlaps in behavior and unique identifying characteristics of Cobalt Strike infrastructure that suggest it was created or managed by a distinct set of operators. However, the follow-on activity from this infrastructure indicates multiple threat actors or clusters associated with human-operated ransomware attacks (including the deployment of Conti ransomware). One explanation is that DEV-0365 is involved in a form of command- and-control infrastructure as a service for cybercriminals.<\/p>\n

Additionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads \u2014 activity that overlaps with a group Microsoft tracks as DEV-0193. DEV-0193 activities overlap with actions tracked by Mandiant as UNC1878.<\/p>\n

Due to the uncertainty surrounding the nature of the shared qualities of DEV-0365 infrastructure and the significant variation in malicious activity, MSTIC clustered the initial email campaign exploitation identified as CVE-2021-40444 activity separately, under DEV-0413.<\/p>\n

The DEV-0413 campaign that used CVE-2021-40444 has been smaller and more targeted than other malware campaigns we have identified leveraging DEV-0365 infrastructure. We observed the earliest exploitation attempt of this campaign on August 18. The social engineering lure used in the campaign, initially highlighted by Mandiant, aligned with the business operations of targeted organizations, suggesting a degree of purposeful targeting. The campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted. In most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.<\/p>\n

It is worth highlighting that while monitoring the DEV-0413 campaign, Microsoft identified active DEV-0413 infrastructure hosting CVE-2021-40444 content wherein basic security principles had not been applied. DEV-0413 did not limit the browser agents able to access the server to their malware implant or known targets, thereby permitting directory listing for their web server. In doing so, the attackers exposed their exploit to anyone who might have gained interest based on public social media discussion.<\/p>\n

\"Screenshot<\/p>\n

Figure 3. Content of the original DEV-0413 email lure seeking application developers<\/em><\/p>\n

At least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack. It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure.<\/p>\n

In a later wave of DEV-0413 activity on September 1, Microsoft identified a lure change from targeting application developers to a \u201csmall claims court\u201d legal threat.<\/p>\n

\"Screenshot<\/p>\n

Figure 4. Example of the \u201cSmall claims court\u201d lure utilized by DEV-0413<\/em> <\/em><\/p>\n

Vulnerability usage timeline<\/h2>\n

On August 21, 2021, MSTIC observed a social media post by a Mandiant employee with experience tracking Cobalt Strike Beacon infrastructure. This post highlighted a Microsoft Word document (SHA-256: 3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf<\/a>) that had been uploaded to VirusTotal on August 19, 2021. The post\u2019s focus on this document was highlighting the custom Cobalt Strike Beacon loader and did not focus on the delivery mechanism.<\/p>\n

MSTIC analyzed the sample and determined that an anomalous oleObject relationship in the document was targeted at an external malicious HTML resource with an MHTML handler and likely leading to abuse of an undisclosed vulnerability. MSTIC immediately engaged the Microsoft Security Response Center and work began on a mitigation and patch. During this process, MSTIC collaborated with the original finder at Mandiant to reduce the discussion of the issue publicly and avoid drawing threat actor attention to the issues until a patch was available. Mandiant partnered with MSTIC and did their own reverse engineering assessment and submitted their findings to MSRC.<\/p>\n

On September 7, 2021, Microsoft released a security advisory for CVE-2021-40444 containing a partial workaround. As a routine in these instances, Microsoft was working to ensure that the detections described in the advisory would be in place and a patch would be available before public disclosure. During the same time, a third-party researcher reported a sample to Microsoft from the same campaign originally shared by Mandiant. This sample was publicly disclosed on September 8. We observed a rise in exploitation attempts within 24 hours.<\/p>\n

\"Line<\/p>\n

Figure 5. Graphic showing original exploitation on August 18 and attempted exploitation increasing after public disclosure <\/em><\/p>\n

Microsoft continues to monitor the situation and work to deconflict testing from actual exploitation. Since the public disclosure, Microsoft has observed multiple threat actors, including ransomware-as-a-service affiliates, adopting publicly disclosed proof-of-concept code into their toolkits. We will continue to provide updates as we learn more.<\/p>\n

Mitigating the attacks<\/h2>\n

Microsoft has confirmed that the following attack surface reduction rule<\/a> blocks activity associated with exploitation of CVE-2021-40444 at the time of publishing:<\/p>\n