Double Your Threat Blocking in 90 Days
Suleyman Ozarslan, PhD & Picus Labs | September 09, 2021
The Top 10 MITRE ATT&CK Techniques Used by Adversaries
Picus Labs has updated the Picus Threat Library with attacks that exploit a critical 0-day remote code execution (RCE) vulnerability in MSHTML affecting Microsoft Windows operating systems.
What is the CVE-2021-40444 Vulnerability?
Microsoft has reported a security update guide for the CVE-2021-40444 vulnerability on September 7, 2021. This zero-day vulnerability is in the MSHTML component of Microsoft Windows. MSHTML is a Windows component that allows web pages to be rendered.
How do Attackers Exploit the CVE-2021-40444 Vulnerability?
An attacker can create a malicious ActiveX control to be used by the MSHTML browser rendering engine in a Microsoft Office document. After preparing the malicious ActiveX control embedded in an MS Office document, the attacker has to deliver the malicious document to the user. Attackers mostly use the Phishing (MITRE ATT&CK T1566) technique to deliver malicious documents as attachments or links to the document. After that, the user has to open the malicious document to trigger the exploit.
For example, when the user opens the malicious document (SHA-256: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52), it downloads an .HTML file (SHA-256: d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6):
What is the Impact of CVE-2021-40444 Vulnerability?
CVE-2021-40444 allows unauthenticated attackers to execute arbitrary code on Microsoft Windows. The CVE-2021-40444 vulnerability can be exploited remotely and doesn’t require an admin or privileged account. Accordingly, the CVSSv3 base score for CVE-2021-40444 is 8.8 Critical.
What is the Current Situation?
As also stated by Microsoft, attackers are exploiting this 0-day vulnerability by using Microsoft Office documents in their targeted attack campaigns. Picus Labs researchers have discovered numerous malicious Microsoft Office documents that include exploit payloads for CVE-2021-40444.
How to Protect Your Organization From CVE-2021-40444 exploits?
Microsoft has not developed a patch yet.
Microsoft states that Microsoft Office opens documents in Protected View or Application Guard for Office, and both of these security mechanisms prevent the exploitation of the CVE-2021-40444 vulnerability. However, attackers convince users to click the “Enable Editing” button to disable these mechanisms.
Microsoft advises disabling the installation of ActiveX controls in Internet Explorer by updating the relevant registry keys is advised by Microsoft in the security update guide of CVE-2021-40444.
We advise you to simulate CVE-2021-40444 exploitation attacks and determine whether your security controls can prevent them or not.
How Picus Helps Simulate CVE-2021-40444 Microsoft Office Exploits?
We also strongly suggest simulating CVE-2021-40444 exploitation attacks to test the effectiveness of your security controls against these attacks using the Picus Continuous Security Control Validation Platform. Picus Threat Library includes the following threats for CVE-2021-40444 vulnerability:
Microsoft CVE-2021-40444 MSHTML RCE Vulnerability .DOCX File Download Variant-1
Microsoft CVE-2021-40444 MSHTML RCE Vulnerability .DOCX File Download Variant-2
Microsoft CVE-2021-40444 MSHTML RCE Vulnerability .DOCX File Download Variant-3
Microsoft CVE-2021-40444 MSHTML RCE Vulnerability .DOCX File Download Variant-4
Microsoft CVE-2021-40444 MSHTML RCE Vulnerability .DOCX File Download Variant-5
Microsoft CVE-2021-40444 MSHTML RCE Vulnerability .XML File Download Variant-1
Picus Threat Library also contains 1500+ vulnerability exploitation and endpoint attacks in addition to 10.500+ other threats as of today.
Indicators of Compromise (IOCs)
.DOCX file #1 (A Letter before court 4.docx):
.DOCX file #2 (PRD.docx):
.DOCX file #3 (Project details (1).docx):
.DOCX file #4 (App description.docx):
.DOCX file #5 (court.docx):
.HTML file (side.html):
.CAB file (ministry.cab):
.DLL file (payload.dll):
.XML file (document.xml.rels):