New Blog Post | Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability

%3CLINGO-SUB%20id%3D%22lingo-sub-2756757%22%20slang%3D%22en-US%22%3ENew%20Blog%20Post%20%7C%20Analyzing%20attacks%20that%20exploit%20the%20CVE-2021-40444%20MSHTML%20vulnerability%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2756757%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Figure2-attack-chain.png%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F310809i95C2057957996997%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Figure2-attack-chain.png%22%20alt%3D%22Figure2-attack-chain.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2021%2F09%2F15%2Fanalyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAnalyzing%20attacks%20that%20exploit%20the%20CVE-2021-40444%20MSHTML%20vulnerability%20%7C%20Microsoft%20Security%20Blog%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20August%2C%20Microsoft%20Threat%20Intelligence%20Center%20(MSTIC)%20identified%20a%20small%20number%20of%20attacks%20(less%20than%2010)%20that%20attempted%20to%20exploit%20a%20remote%20code%20execution%20vulnerability%20in%20MSHTML%20using%20specially%20crafted%20Microsoft%20Office%20documents.%20These%20attacks%20used%20the%20vulnerability%2C%20tracked%20as%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-40444%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECVE-2021-40444%3C%2FA%3E%3CSPAN%3E%2C%20as%20part%20of%20an%20initial%20access%20campaign%20that%20distributed%20custom%20Cobalt%20Strike%20Beacon%20loaders.%20These%20loaders%20communicated%20with%20an%20infrastructure%20that%20Microsoft%20associates%20with%20multiple%20cybercriminal%20campaigns%2C%20including%20human-operated%20ransomware.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2756757%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%20Defender%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Figure2-attack-chain.png

Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability | Microsoft Security Blog

In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders. These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.

1 Reply
Thank you for sharing.
A good news is most Anti-Malware products including Microsoft Defender are able to detect and block this exploit. So if someone send a malicious file, it will be blocked by Microsoft Defender.
However everyone have to make sure deploy updates as soon as possible.