Connect with us

Hi, what are you looking for?



Links Found Between MSHTML Zero-Day Attacks and Ransomware Operations

Microsoft and threat intelligence company RiskIQ reported finding links between the exploitation of a recently patched Windows zero-day vulnerability and known ransomware operators.

Microsoft and threat intelligence company RiskIQ reported finding links between the exploitation of a recently patched Windows zero-day vulnerability and known ransomware operators.

The existence of the zero-day, tracked as CVE-2021-40444, came to light on September 7, when Microsoft announced mitigations and warned that the flaw had been exploited in targeted attacks using specially crafted Office documents.

The issue, related to the MSHTML browsing engine built into Office, can and has been exploited for remote code execution. Microsoft released patches on September 14 as part of its Patch Tuesday updates.

Microsoft and RiskIQ — Microsoft announced acquiring RiskIQ in July — on Wednesday published separate blog posts analyzing the attacks exploiting CVE-2021-40444.

The first exploitation attempts were spotted in mid-August, but Microsoft reported seeing a significant increase in exploitation attempts after proof-of-concept (PoC) code and other information was made publicly available shortly after its initial disclosure.

The tech giant says multiple threat actors, including ransomware-as-a-service affiliates, have been leveraging the available PoC code, but the company believes some of the exploitation attempts are part of testing, rather than malicious attacks.

The first attacks observed by Microsoft — the company initially saw less than 10 exploitation attempts — leveraged CVE-2021-40444 to deliver custom Cobalt Strike Beacon loaders. The attackers are tracked by Microsoft as DEV-0413 — DEV is assigned to emerging threat groups or unique activity. They apparently used emails referencing contracts and legal agreements to get the targets to open documents configured to exploit the MSHTML vulnerability in an effort to deliver the malware.

Advertisement. Scroll to continue reading.

CVE-2021-40444 exploit email

Interestingly, the Cobalt Strike infrastructure used in the attacks was previously connected to cybercrime groups known for using ransomware such as Conti and Ryuk to target major enterprises. These threat actors are tracked as Wizard Spider (CrowdStrike), UNC1878 (FireEye), DEV-0193, and DEV-0365 (Microsoft).

“Despite the historical connections, we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible. If the threat actors were part of these groups, it means they almost surely purchased the zero-day exploit from a third party because they have not previously shown the ability to develop exploit chains of this complexity,” RiskIQ said in its blog post.

The company added, “Instead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact, be traditional espionage. This goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.”

RiskIQ believes the cyberspies may have compromised the ransomware infrastructure, they may have been allowed by the ransomware operators to leverage their infrastructure, it might only be one group that engages in both espionage and cybercrime, or the two groups may be using the same bulletproof hosting provider.

Microsoft noted that in attacks exploiting CVE-2021-40444, the initial malicious document originates from the internet and it should be tagged with the “mark of the web.” This means that Office should open the document in Protected Mode, preventing exploitation, unless the user explicitly enables editing. However, if attackers find a way to prevent the document from getting a “mark of the web,” the exploit can allow them to execute the payload in the document without user interaction.

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days

Related: At Least 10 Threat Actors Targeting Recent Microsoft Exchange Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...