ThreatSTOP Blog

Microsoft Warns: New Office Zero-Day Exploited in Targeted Attacks

Written by Ofir Ashman | September 9, 2021

It's just months since Microsoft exposed four zero-day vulnerabilities used to attack Exchange servers, and another round of Microsoft exploit havoc has already begun. This time they target OS we all know, and (at least most of us) love - Windows 10, as well as some Windows Server versions. The remote code execution (RCE) vulnerability, known as CVE 2021-40444, is a bug in Internet Explorer's browser rendering engine "MSHTML". Although IE use has been declining for years, what makes this vulnerability so dangerous is that MS Office documents also use this rendering engine for browser-based content. In an advisory released by Microsoft, they explain that they are "aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents”. While the company has revealed little about the nature of the zero-day, they have stated that CVE 2021-40444 is exploited via malicious ActiveX controls embedded in Office documents.

Today, TrendMicro released an analysis of multiple document samples exploiting this vulnerability to download Cobalt Strike payloads, using the following domains:

 

Domain Function
joxinu[.]com C&C Server
dodefoh[.]com C&C Server
pawevi[.]com C&C Server
hidusi[.]com Malware Accomplice
sagoge[.]com Malware Accomplice
comecal[.]com Malware Accomplice
rexagi[.]com Malware Accomplice
macuwuf[.]com Malware Accomplice

 

While these domains only hit the security spotlight today, they were already identified by Farsight last month. ThreatSTOP integrates Farsight's Newly Observed Domains into our blocklists as one of over 800 threat intelligence sources. This allows users to block newly registered domains recognized by Farsight's Passive DNS network of sensors around the world, such as the domains leveraging CVE 2021-40444. The domain pawevi[.]com has an especially long track record with us, showing up in botnet-related threat targets.

Image: ThreatSTOP's CheckIOC

To be protected, there are two critical actions you should take:

  • Take Microsoft's advice on handling the situation. While a patch for the vulnerability has yet to be released, Microsoft has recommended a number of mitigations and workarounds.
  • Better still, block these attacks BEFORE they happen. In addition to temporary band-aids created post-attack for each vulnerability, organizations should be using high quality threat intelligence to block malicious infrastructure from the first time it's abused - not the tenth. At ThreatSTOP, we block attacks before they become famous.

 

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?