Microsoft MSHTML Remote Code Execution Vulnerability Threat Intel Advisory

Summary

Researchers detected the vulnerability CVE-2021-40444 that targets a remote code execution flaw in MSHTML used to render web content inside Office documents
Category Vulnerability Intelligence
Vulnerability Class Remote Code Execution
CVE id CVE-2021-40444
CVSS:3.0 Score 8.8
TLP# GREEN
Reference *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol
 

Executive Summary

  • Microsoft Mandiant, and Expmon researchers have detected a vulnerability, tracked as CVE-2021-40444, that targets a remote code execution flaw in MSHTML, used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents.
  • The zero-day vulnerability is actively exploited by threat actors and Office users are targeted through client-side attack vectors.
  • Microsoft has updated Windows Defender Antivirus and Windows Defender for Endpoints to defend against this vulnerability.
  • Assets can be protected against the attack by following the guidelines recorded in the Impact & Mitigation section of this advisory.
 

Analysis

Trident, popularly known as the MSHTML, is a browser engine developed by Microsoft for Internet Explorer. The Microsoft Office suite supports MSHTML, which has a remote code execution vulnerability (CVE-2021-40444) that attackers are increasingly exploiting to gain code execution on targeted systems. At present, Microsoft has not disclosed the technical details of the vulnerability.
  • Threat actors craft a malicious ActiveX control which is then used in Office documents that host MSHTML.
  • The logical flaw in MSHTML is triggered when the user opens the malicious document.
  • However, Protected View/ Application Guard in Microsoft Office applications is capable of defending against these targeted attacks.
  • Microsoft has updated Defender for Endpoints, to flag such attacks with an alert that reads “Suspicious Cpl File Execution.”
  • Microsoft has not released a patch for this zero-day vulnerability, but TTPs (Techniques tactics and procedures) for this vulnerability have been updated in Windows Defender.
  • Additionally, an official Microsoft advisory that includes a workaround has been included in the following section.
 

Impact & Mitigation

Impact Mitigation
  • Remote code execution allows the attackers to take control of the target system.
  • Initial access to a corporate endpoint may potentially enable lateral movements in the internal network.
  • Nation-state actors leverage client-side zero-day vulnerabilities to compromise information, while ransomware groups use these vulnerabilities to extort money by encrypting user data.
 

Indicators of Compromise

IP/ Domain hidusi[.]com
dodefoh[.]com:443
joxinu[.]com:443
45.147.229.242
104.194.10.21
Hashes D0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745
049ed15ef970bd12ce662cffa59f7d0e0b360d47fac556ac3d36f2788a2bc5a4
5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185
199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455
3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf
D0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6
938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52

Table of Contents

Request an easy and customized demo for free