Links Found Between MSHTML Zero-Day Attacks and Ransomware Operations
Microsoft and threat intelligence company RiskIQ reported finding links between the exploitation of a recently patched Windows zero-day vulnerability and known ransomware operators.
The existence of the zero-day, tracked as CVE-2021-40444, came to light on September 7, when Microsoft announced mitigations and warned that the flaw had been exploited in targeted attacks using specially crafted Office documents.
The issue, related to the MSHTML browsing engine built into Office, can and has been exploited for remote code execution. Microsoft released patches on September 14 as part of its Patch Tuesday updates.
The first exploitation attempts were spotted in mid-August, but Microsoft reported seeing a significant increase in exploitation attempts after proof-of-concept (PoC) code and other information was made publicly available shortly after its initial disclosure.
The tech giant says multiple threat actors, including ransomware-as-a-service affiliates, have been leveraging the available PoC code, but the company believes some of the exploitation attempts are part of testing, rather than malicious attacks.
The first attacks observed by Microsoft — the company initially saw less than 10 exploitation attempts — leveraged CVE-2021-40444 to deliver custom Cobalt Strike Beacon loaders. The attackers are tracked by Microsoft as DEV-0413 — DEV is assigned to emerging threat groups or unique activity. They apparently used emails referencing contracts and legal agreements to get the targets to open documents configured to exploit the MSHTML vulnerability in an effort to deliver the malware.
Interestingly, the Cobalt Strike infrastructure used in the attacks was previously connected to cybercrime groups known for using ransomware such as Conti and Ryuk to target major enterprises. These threat actors are tracked as Wizard Spider (CrowdStrike), UNC1878 (FireEye), DEV-0193, and DEV-0365 (Microsoft).
“Despite the historical connections, we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible. If the threat actors were part of these groups, it means they almost surely purchased the zero-day exploit from a third party because they have not previously shown the ability to develop exploit chains of this complexity,” RiskIQ said in its blog post.
The company added, “Instead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact, be traditional espionage. This goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.”
RiskIQ believes the cyberspies may have compromised the ransomware infrastructure, they may have been allowed by the ransomware operators to leverage their infrastructure, it might only be one group that engages in both espionage and cybercrime, or the two groups may be using the same bulletproof hosting provider.
Microsoft noted that in attacks exploiting CVE-2021-40444, the initial malicious document originates from the internet and it should be tagged with the “mark of the web.” This means that Office should open the document in Protected Mode, preventing exploitation, unless the user explicitly enables editing. However, if attackers find a way to prevent the document from getting a “mark of the web,” the exploit can allow them to execute the payload in the document without user interaction.