Ransomware Attackers Look For Unpatched Systems To Exploit

Not long ago Microsoft patched a critical MSHTML remote code execution security flaw being tracked as CVE-2021-40444.

Beginning on August 18th of this year (2021) the company spotted hackers exploiting this flaw in the wild. So far there have been fewer than ten attacks made that exploit this flaw but it’s inevitable that the number will increase.

So far all of the attacks that have been tracked exploiting this flaw have relied on maliciously crafted Word documents and all have resulted in the installation of Cobalt Strike Beacon loaders.

Beacons deployed on at least one of the networks that were attacks communicated with infrastructure connected with a number of cyber crime campaigns. Those include the ones that utilize human-operated ransomware.

At least two of the other attacks tracked to date have delivered Trickbot and BazaLoader payloads. Microsoft observed a huge spike in exploitation attempts from multiple threat actors including some affiliated with ransomware-as-a-service operations.

Microsoft is continuing to monitor the situation but the bottom line is simply this: This flaw has been patched. Researchers connected with Bleeping Computer have independently verified that the exploit no longer works after applying the September 2021 security patch.

Hackers around the world are actively scanning for unpatched systems in order to exploit the vulnerability. If your system is vulnerable then your risk in this instance is extreme. The best course of action is to patch your way out of danger at your earliest opportunity.

If for any reason you are unable to apply the patch be aware that Microsoft has published a viable workaround that includes disabling ActiveX controls via Group Policy and preview in Windows Explorer.

Kudos to Microsoft for addressing the issue and for coming up with a workaround for those who are unable to patch their way to safety.