
Microsoft Publishes Veiled Mea Culpa Disguised as Research
Microsoft released a report on malicious activity they are attributing to a Russian threat actor that seems to suggest that Microsoft platforms and products were compromised...
Cybereason Global SOC Team
The Cybereason Global Security Operations Center (SOC) issues Cybereason Threat Alerts to inform customers of emerging impacting threats. The Alerts summarize these threats and provide practical recommendations for protecting against them.
The Cybereason GSOC Managed Detection and Response (MDR) team is investigating CVE-2021-40444, a critical vulnerability in the Microsoft Hypertext Markup Language (MSHTML) web content rendering engine that Microsoft Office applications use. This vulnerability enables attackers to use malicious ActiveX controls to execute arbitrary code on target systems.
This Threat Alert focuses on the CVE-2021-40444 vulnerability as exploited via malicious Office documents. However, other applications that also use the MSHTML engine, such as Internet Explorer, can also be vectors for exploiting the vulnerability.
CVE-2021-40444 is a critical vulnerability in the MSHTML rendering engine. Microsoft Office applications use the MSHTML engine to process and display web content. An adversary who successfully exploits CVE-2021-40444 could achieve full control over a target system by using malicious ActiveX controls to execute arbitrary code.
Malicious actors are exploiting CVE-2021-40444 by using specifically crafted Microsoft Office documents. A typical such document uses the MSHTML engine to open a malicious website hosted on an attacker-controlled endpoint. This website exists as a MIME HTML (MHTML) Object Linking and Embedding (OLE) object in the context of the document. The website executes JavaScript code and ActiveX controls that then execute malicious code on the system where the malicious Office document was opened. This code is hosted at the attacker-controlled endpoint in the form of a dynamic-link library (DLL).
To exploit the CVE-2021-40444 vulnerability, the attacker tricks a user into opening a specifically crafted Office document and clicking Enable Content to disable the Microsoft Office Protected View feature. The Protected View feature is enabled by default and blocks the execution of potentially malicious code in the context of Office documents.
A specific exploitation of CVE-2021-40444 observed in practice involves the following activities:
An MSHTML OLE object in a specifically crafted Microsoft Office document
Obfuscated JavaScript code that instantiates ActiveX controls
Cybereason recommends the following:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003
Aleksandar Milenkoski, Senior Threat and Malware Analyst, Cybereason Global SOC
Aleksandar Milenkoski is a Senior Threat and Malware Analyst with the Cybereason Global SOC (GSOC) team. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a PhD degree in the area of system security. Prior to Cybereason, his work was focusing on research in the area of intrusion detection and reverse engineering security mechanisms of the Windows 10 operating system.
The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.
All Posts by Cybereason Global SOC TeamMicrosoft released a report on malicious activity they are attributing to a Russian threat actor that seems to suggest that Microsoft platforms and products were compromised...
Troubling takeaways: Microsoft essentially took a product security advisory and framed it as threat research, and less than a year after the SolarWinds attacks, Microsoft allowed the same threat actors to slip through again...
Microsoft released a report on malicious activity they are attributing to a Russian threat actor that seems to suggest that Microsoft platforms and products were compromised...
Troubling takeaways: Microsoft essentially took a product security advisory and framed it as threat research, and less than a year after the SolarWinds attacks, Microsoft allowed the same threat actors to slip through again...
Get the latest research, expert insights, and security industry news.
Subscribe