HP Inc. has captured exploits of the zero day CVE-2021-404441 remote code execution vulnerability that enables hackers to exploit the MSHTML browser engine using specially crafted Microsoft Office documents.
The vulnerability was first captured by HP on September 8, six days before Microsoft issued a patch and is another indication that hackers are scurrying to weaponize new zero-day vulnerabilities, HP Inc. said in its newly released Wolf Security Threats Insight Report. Because zero-day vulnerabilities are either previously unknown or a patch has yet to be developed, hackers can exploit them to compromise networks, data and other critical functions.
Microsoft released a security notice of the vulnerability on September 7 in which it warned that that it had already been used in targeted attacks against Microsoft Office users, likely referring to HP’s capturing exploits. In the warning, Microsoft said an attacker could tailor a malicious ActiveX control to be used by an Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users with administrative rights are more vulnerable than those with few user rights on the system, Microsoft said.
Attempts to exploit the vulnerability are reportedly targeting companies in the research and development sector, the energy sector and large industrial sectors, banking and medical technology development sectors, telecommunications and the IT sector. HP said its researchers saw on September 10 scripts on GitHub designed to automate the exploit. “Unless patched, the exploit enables attackers to compromise endpoints with very little user interaction,” HP said. Other exploits isolated by HP threat researchers include:
Rise in cyber criminals using legitimate Cloud and web providers to host malware: HP discovered multiple malware families being hosted on gaming social media platforms.
Targeted campaign found posing as the Ugandan National Social Security fund: Attackers used “typosquatting” in which a spoofed web address similar to an official domain name is used to lure targets to a site that downloads a malicious Word document.
Switching to HTA files spreads malware in a single click: The Trickbot Trojan is now being delivered via HTA (HTML application) files, which deploy the malware as soon as the attachment or achive file containing it is opened.
“The average time for a business to apply, test and fully deploy patches with the proper checks is 97 days, giving cyber criminals an opportunity to exploit this window of vulnerability.” said Alex Holland, a senior malware analyst on the HP Wolf Security threat research team. “While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less knowledgeable and resourced threat actors,” Holland said.
Additional key findings in the report include:
- 12% of email malware isolated had bypassed at least one gateway scanner.
- 89% of malware detected was delivered via email, while web downloads were responsible for 11%, and other vectors like removable storage devices for less than 1%.
- The most common attachments used to deliver malware were archive files (38% – up from 17% last quarter), Word documents (23%), spreadsheets (17%), and executable files (16%).
- The top five most common phishing lures were related to business transactions such as “order”, “payment”, “new”, “quotation” and “request”
- The report found 12% of malware captured was previously unknown.
The findings are based on data from endpoints running HP Wolf Security.
“We can’t keep relying on detection alone. The threat landscape is too dynamic and, as we can see from the analysis of threats captured in our VMs, attackers are increasingly adept at evading detection,” said Dr. Ian Pratt, HP Inc. global head of security for personal systems. “Organizations must take a layered approach to endpoint security, following zero trust principles to contain and isolate the most common attack vectors,” he said.