Links Detected Between MSHTML Zero-Day Attacks and Ransomware Operations

This article has been indexed from E Hacking News – Latest Hacker News and IT Security News

 

The exploitation of a recently fixed Windows zero-day vulnerability was attributed to known ransomware operators, according to Microsoft and threat intelligence firm RiskIQ.
The existence of the zero-day, called CVE-2021-40444, was revealed on September 7, when Microsoft released countermeasures and cautioned that the vulnerability had been exploited in targeted attacks using specially designed Office documents. 
The vulnerability connected to Office’s MSHTML browser engine can and has been misused for remote code execution. As part of its Patch Tuesday updates, Microsoft delivered upgrades on September 14th. 
Microsoft announced the acquisition of RiskIQ in July and posted separate blog posts detailing the attacks exploiting CVE-2021-40444. 
The first exploitation efforts were discovered in mid-August. But Microsoft observed a massive spike in exploitation attempts when the proof-of-concept (PoC) code and other details were made public after the initial announcement. 
As per the company, several threat actors, including ransomware-as-a-service affiliates, have used the public PoC code, but some of the exploitation attempts are part of testing rather than criminal operations. 
The company initially saw less than ten exploitation attempts and leveraged CVE-2021-40444 to deliver custom Cobalt Strike Beacon loaders. Microsoft has identified the attackers as DEV-0

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: Links Detected Between MSHTML Zero-Day Attacks and Ransomware Operations

Liked it? Take a second to support IT Security News on Patreon!
Become a patron at Patreon!