| Category |
Vulnerability Intelligence |
| Vulnerability Class |
Remote Code Execution |
| CVE id |
CVE-2021-40444 |
| CVSS:3.0 Score |
8.8 |
| TLP# |
GREEN |
| Reference |
*https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability
#https://en.wikipedia.org/wiki/Traffic_Light_Protocol |
Executive Summary
- Microsoft Mandiant, and Expmon researchers have detected a vulnerability, tracked as CVE-2021-40444, that targets a remote code execution flaw in MSHTML, used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents.
- The zero-day vulnerability is actively exploited by threat actors and Office users are targeted through client-side attack vectors.
- Microsoft has updated Windows Defender Antivirus and Windows Defender for Endpoints to defend against this vulnerability.
- Assets can be protected against the attack by following the guidelines recorded in the Impact & Mitigation section of this advisory.
Analysis
Trident, popularly known as the
MSHTML, is a browser engine developed by Microsoft for Internet Explorer. The Microsoft Office suite supports MSHTML, which has a remote code execution vulnerability (CVE-2021-40444) that attackers are increasingly exploiting to gain code execution on targeted systems. At present, Microsoft has not disclosed the technical details of the vulnerability.
- Threat actors craft a malicious ActiveX control which is then used in Office documents that host MSHTML.
- The logical flaw in MSHTML is triggered when the user opens the malicious document.
- However, Protected View/ Application Guard in Microsoft Office applications is capable of defending against these targeted attacks.
- Microsoft has updated Defender for Endpoints, to flag such attacks with an alert that reads “Suspicious Cpl File Execution.”
- Microsoft has not released a patch for this zero-day vulnerability, but TTPs (Techniques tactics and procedures) for this vulnerability have been updated in Windows Defender.
- Additionally, an official Microsoft advisory that includes a workaround has been included in the following section.
Impact & Mitigation
| Impact |
Mitigation |
- Remote code execution allows the attackers to take control of the target system.
- Initial access to a corporate endpoint may potentially enable lateral movements in the internal network.
- Nation-state actors leverage client-side zero-day vulnerabilities to compromise information, while ransomware groups use these vulnerabilities to extort money by encrypting user data.
|
|
Indicators of Compromise
| IP/ Domain |
hidusi[.]com |
| dodefoh[.]com:443 |
| joxinu[.]com:443 |
| 45.147.229.242 |
| 104.194.10.21 |
| Hashes |
D0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745 |
| 049ed15ef970bd12ce662cffa59f7d0e0b360d47fac556ac3d36f2788a2bc5a4 |
| 5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185 |
| 199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455 |
| 3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf |
| D0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6 |
| 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 |
