Microsoft announced a targeted phishing campaign that they have detected recently, and this campaign is exploiting MSHTML 0-Days exploit to deploy Cobalt Strike Beacon on Windows.
But, right now at this moment, they have already patched the zero-day vulnerability in the MSHTML platform. In this campaign, the threat actors used especially configured Office documents to expand the Cobalt Strike Beacon to negotiated Windows devices.
The Microsoft Threat Intelligence Center claimed that the threat actors have exploited the “CVE-2021-40444” vulnerability to obtain initial access to networks and to expand custom Cobalt Strike Beacon loaders.
After investigating the whole campaign it was identified that the very first campaigns in August 2021 reasonable started from emails representing contracts and different legal agreements.
However, in this kind of agreement, the documents themselves were hosted on file-sharing sites. Apart from this, the exploit document has used an external oleObject relationship with the motive of embedding the exploitative JavaScript within MIME HTML.
These are the remotely hosted content that appears in the following files:-
(1) In the download of a CAB file including a DLL bearing an INF file extension
(2) As well as in the decompression of that CAB file
(3) In the performance of a function within that DLL
Microsoft is trying to track the cybercriminal, however, the unidentified threat actor works as a “development group” that utilizes a threat actor identifying edifice with a prefix of “DEV.”
It designates an emerging threat group or anomalous activity through the tracking and investigation stages before MSTIC gets high confidence regarding the origin or identity of the threat actor those are behind this operation.
But, the MSTIC tries its best and found a massive cluster of cybercriminal ventures that are involving with the Cobalt Strike infrastructure under the name “DEV-0365.”
Here’s the list of possible detection names mentioned below:-
Also, Kaspersky researchers uncovered several attempts to exploit the CVE-2021-40444 vulnerability targeting companies in the research and development sector, the energy sector and large industrial sectors, banking, and medical technology development sectors, as well as telecommunications and the IT sector.” Kaspersky report says.
After knowing some of the key details, MSTIC directly involved the Microsoft Security Response Center and all together they have started to find some mitigation and patch for this campaign.
While they have also communicated with the actual finder at Mandiant with the motive to reduce the discussion of the issue openly and to avoid drawing threat actor awareness to the issues until and unless they patch the threat.
However, Mandiant partnered with MSTIC and did their own reverse-engineering evaluation, and offered their findings to MSRC. And Microsoft has also released a security advisory for CVE-2021-40444 On September 7, 2021, containing a partial workaround.
Here are some mitigation and recommendations for this attack, that we have mentioned below:-
There are some infrastructures that have been used by DEV-0413 to host malicious artifacts that have also been involved in the delivery of BazaLoader and Trickbot malware. That’s why every organization should carefully use mitigation, as it will surely help them to bypass such unwanted attacks.
Follow us on Linkedin, Twitter, Facebook for daily Cybersecurity News & Updates
By fusing agentic AI and contextual threat intelligence, SecAI transforms investigation from a bottleneck into…
According to IBM Security annual research, "Cost of a Data Breach Report 2024", an average…
A critical security flaw in NVIDIA's Riva framework, an AI-powered speech and translation service, has…
CISA officially added a significant security flaw affecting Broadcom’s Brocade Fabric OS to its authoritative…
A critical vulnerability in Apple’s AirPlay protocol, dubbed AirBorne, has exposed over 2.35 billion active…
A critical vulnerability in Google Chrome has recently been discovered that allows malicious actors to…