Microsoft Unveils Details of Targeted Phishing Attack Exploiting Critical Vulnerability
On Wednesday, Microsoft provided significant insights into a sophisticated phishing campaign that capitalized on a now-resolved zero-day vulnerability in its MSHTML platform. The exploit involved specially designed Office documents aimed at deploying Cobalt Strike Beacon malware on compromised Windows systems, enabling attackers to gain unauthorized access.
The vulnerability, marked as CVE-2021-40444, was identified as the initial entry point in a campaign distributing custom loaders for Cobalt Strike Beacon. According to the Microsoft Threat Intelligence Center, these loaders were linked to multiple cybercriminal operations, including those involving human-operated ransomware. The technical write-up emphasized the critical nature of this vulnerability and its role in facilitating attacks against potentially unsuspecting victims.
CVE-2021-40444 was initially reported on September 7, following insights from researchers at EXPMON who alerted Microsoft to a “highly sophisticated” attack targeting Microsoft Office users. This attack exploited a remote code execution flaw in MSHTML, the proprietary browser engine used in applications like Word, Excel, and PowerPoint to render web content.
Researchers indicated that the exploited attack vector relied on a malicious ActiveX control that could be executed through a compromised Office document. In response to the growing threat, Microsoft released a patch on September 14 as part of its regular security updates, addressing this critical vulnerability.
Attributing the attack to cybercriminal groups identified as DEV-0413 and DEV-0365, Microsoft noted that the latter is associated with the infrastructure supporting the Cobalt Strike attacks. They highlighted that an early attempt by DEV-0413 to exploit the vulnerability was recorded on August 18, well ahead of broader awareness.
The exploitation method involved emails disguised as contracts and legal agreements, hosted on file-sharing platforms. Victims who opened these documents unwittingly downloaded a Cabinet archive file containing a DLL with an INF extension, which, when decremented, executed specific functions to download Cobalt Strike Beacon loaders into the Microsoft address import tool.
In addition, Microsoft reported that some of the infrastructure linked to DEV-0413 was also associated with the distribution of payloads like BazaLoader and Trickbot, which are tracked under the codename DEV-0193. Researchers observed that at least one organization struck by DEV-0413 was previously compromised by malware that also interacted with DEV-0365’s infrastructure prior to the CVE-2021-40444 attack, suggesting a possible link beyond mere opportunism.
Independent investigations by Microsoft’s RiskIQ subsidiary have strongly connected these recent attacks to the Wizard Spider syndicate, also known as Ryuk. This ransomware group utilized a network of over 200 active servers for command and control activities related to Cobalt Strike Beacon implants, underscoring the widespread nature of these cyber threats.
The troubling association of a zero-day exploit with a ransomware group raises significant concerns about the escalating complexity and sophistication of cyberattacks. RiskIQ researchers noted that this reflects either the integration of advanced tools like zero-day exploits into the ransomware-as-a-service model or the use of criminal infrastructure by more sophisticated adversaries.
In this context, the MITRE ATT&CK framework highlights relevant tactics employed during the attack, including initial access through phishing, persistence via malware implantation, and privilege escalation through Cobalt Strike Beacon. Such an understanding is crucial as organizations strive to fortify their defenses against increasingly sophisticated cyber threats.
As the cybersecurity landscape continues to evolve, vigilance remains paramount. Continuous education about emerging threats and proactive measures against potential vulnerabilities are essential for safeguarding digital assets in today’s interconnected world.
