[German]Security vendor Sophos published information about a new attack scenario in a series of tweets just before Christmas. Attackers are currently testing a new attack vector via RAR attachments with Word documents and scripts in mails. However, this involves distributing payloads hidden in RAR files with an Office document, which then use PowerShell to attack via script. I present this briefly here in the blog.
Sophos observes new attack method
It was a tweet from Sophos that alerted me on December 21, 2021. Their security researchers got their hands on an updated exploit that shows cyber criminals are testing a new attack method. The number 40444 in the following tweet refers to the CVE-2021-40444 vulnerability in the Windows MSHTM library.
I had already reported about that in the blog post Windows attacks via 0-day in installer and vulnerability in MSHTML.
Vulnerability CVE-2021-40444 patched
Vulnerability CVE-2021-40444 is located in the Windows MSHTML library and has been patched by Microsoft through security updates for Windows and/or Internet Explorer as of September 14, 2021. Vulnerability CVE-2021-40444 allows remote code execution (RCE), including via manipulated Office documents. MSHTML (rident) is the HTML rendering engine of Internet Explorer included in all previous Windows versions. I had reported about it in the blog post Patch day recap Sept. 2021: Update on MSHTML vulnerability CVE-2021-40444.
It is unclear whether the Microsoft security patch completely removes the vulnerability. Sophos writes in the above tweet that attackers are now making attempts to bypass this patch and exploit the vulnerability anyway. Between October 24 and 25, 2021, Sophos security researchers received a small number of spam email samples that contained corresponding file attachments. The attachments represent an escalation in the attackers' exploitation of the -40444 flaw and show that cyber criminals are looking for ways to exploit the vulnerability even on patched systems. Sophos published the details of the attacks in the blog post Attackers test "CAB-less 40444" exploit in a dry run.
Attack via Office Documents on Microsoft MSHTML (ActiveX) RCE Vulnerability (CVE-2021-40444)
MSHTML vulnerability CVE-2021-40444 more critical than known
Disaster Windows MSHTML vulnerability CVE-2021-40444, hopefully a patch will come today
Patch day recap Sept. 2021: Update on MSHTML vulnerability CVE-2021-40444
Windows attacks via 0-day in installer and vulnerability in MSHTML
Cookies helps to fund this blog: Cookie settings