Overview
On September 7, 2021, Microsoft released a statement warning of targeted attacks attempting to exploit a remote code vulnerability found in Office 365 and Office 2019 on Windows 10. The vulnerability involves a zero-day remote code execution in MSHTML, which is Internet Explorers main HTML component.
CVE-2021-40444 is a vulnerability that becomes exploited when attackers create specially crafted, malicious Microsoft Office documents using ActiveX control. After sending the document, the attacker then tries to convince the victim to open the document so they can gain user rights on a system. Victims with administrative user rights over documents are more susceptible to these attacks than those who have less user rights.
Cyber Security researchers state that the exploit uses logical flaws and is dangerous – with a rating of 8.8 out of 10 on the Common Vulnerability Scoring System. There are currently no patches for the vulnerability, but Microsoft has published mitigations and workarounds to help keep your organization safe. If you have not already taken the steps to help protect your systems, please do so now by reading our recommendations below.
CVEs
CVE-2021-40444
How Avertium is Protecting Our Customers
We are currently pushing known IoCs to our managed SIEMs.
Recommendations
- Don’t open documents without being sure of the origin.
- Disable ActiveX controls in Internet Explorer.
- Be sure all documents from the internet are opened in Protected View or in Application Guard for Office. Opening in these programs ensures protection when opening documents from unknown/unexpected senders. Opening in Protected View or in Application Guard is Microsoft’s default, but you should never disable it.
Indicators of Compromise (IoCs)
- https://joxinu.com/ml[.]html
- http://45.147.229[.]242:22
- http://45.147.229[.]242:443
- http://dodefoh[.]com/
- 6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b
- https://dodefoh.com/hr[.]html
- https://dodefoh[.]com/tab_shop_active
- http://hidusi[.]com/e8c76295a5f9acb7/
- 1d2094ce85d66878ee079185e2761beb
- 53b31e513d8e23e30b7f133d4504ca7429f0e1fe
- 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52
- http://dodefoh[.]com
- http://hidusi[.]com/e8c76295a5f9acb7/ministry.cab
- http://hidusi[.]com/e8c76295a5f9acb7/side.html
- dodefoh[.]com
- hidusi[.]com
- 0b7da6388091ff9d696a18c95d41b587
- 4c80dc9fb7483214b1613957aae57e2a
- e770385f9a743ad4098f510166699305
- 56a8d4f7009caf32c9e28f3df945a7826315254c
- 6c10d7d88606ac1afd30b4e61bf232329a276cdc
- e5f2089d95fd713ca3d4787fe53c0ec036135e92
- 1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00
- d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6
- 104.194.10[.]21
- 45.147.229[.]242
- http://dodefoh[.]com/tab_shop_active
- http://joxinu[.]com/ce
- http://joxinu[.]com/tab_shop_active
- joxinu[.]com
- bd4b9f4b79f8a9eedc12abe3919cecb041c61022485b87b3a5cdfd1891e30670
- macuwuf[.]com
- http://dodefoh[.]com/ml.html?dbprefix=false
- http://dodefoh[.]com/static-directory/media.gif
- http://dodefoh[.]com:443/
- http://joxinu[.]com/hr.html?dbprefix=false
- https://dodefoh[.]com/static-directory/media.gif
- https://macuwuf[.]com/get_load
- 108.62.118[.]69
- 45.153.241[.]127
- 23.106.160[.]25
References
https://www.bleepingcomputer.com/news/security/microsoft-shares-temp-fix-for-ongoing-office-365-zero-day-attacks/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
https://redmondmag.com/articles/2021/09/07/microsoft-warns-malicious-office-docs.aspx
https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653
https://redmondmag.com/articles/2021/09/07/microsoft-warns-malicious-office-docs.aspx
https://support.microsoft.com/en-us/topic/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba4