MSHTML (also known as Trident) is a proprietary browser engine for the Windows version of Internet Explorer, developed by Microsoft.

According to Microsoft Threat Intelligence Center (MSTIC), a number of attacks have attempted to exploit a remote code execution vulnerability in MSHTML, which vulnerability is tracked as CVE-2021-40444, using specially crafted Microsoft Office documents.

As part of an initial campaign that distributed custom Cobalt Strike Beacon loaders, these attackers communicated with an infrastructure that Microsoft associates with multiple cyber-criminal campaigns, including human-operated ransomware.

How Windows MSHTML Zero-Day was Exploited to Deploy Cobalt Strike Beacon in targeted systems?



The attack vector relies on a malicious ActiveX control which could be loaded by MSHTML using a malicious Office document.



Microsoft customers who enabled attack surface reduction rules to block Office from creating child processes are not impacted by the exploitation technique used in the attacks. The attackers leveraged on the vulnerability to access entry point devices to run highly-privileged code, with the secondary actions taken by the attackers relying on stealing credentials that could result organization-wide impact.

Again, this attack illustrates the importance of implementing attack surface reduction, credential hygiene, and lateral movement mitigations.

How to Mitigate against the MSHTML Zero-Day Exploit



Microsoft has already rolled out a fix for the MSHTML vulnerability as part of its Patch Tuesday updates on September 14.

Therefore, customers are advised to apply the security patch for CVE-2021-40444 to fully mitigate this vulnerability. Also, Microsoft has confirmed that the attack surface reduction rule blocks activity associated with exploitation of the MSHTML Zero-Day.

MSHTML Zero-Day Exploited to deploy Cobalt Strike Beacon in targeted Windows machine

MSHTML (also known as Trident) is a proprietary browser engine for the Windows version of Internet Explorer, developed by Microsoft.

According to Microsoft Threat Intelligence Center (MSTIC), a number of attacks have attempted to exploit a remote code execution vulnerability in MSHTML, which vulnerability is tracked as CVE-2021-40444, using specially crafted Microsoft Office documents.

As part of an initial campaign that distributed custom Cobalt Strike Beacon loaders, these attackers communicated with an infrastructure that Microsoft associates with multiple cyber-criminal campaigns, including human-operated ransomware.

How Windows MSHTML Zero-Day was Exploited to Deploy Cobalt Strike Beacon in targeted systems?



The attack vector relies on a malicious ActiveX control which could be loaded by MSHTML using a malicious Office document.



Microsoft customers who enabled attack surface reduction rules to block Office from creating child processes are not impacted by the exploitation technique used in the attacks. The attackers leveraged on the vulnerability to access entry point devices to run highly-privileged code, with the secondary actions taken by the attackers relying on stealing credentials that could result organization-wide impact.

Again, this attack illustrates the importance of implementing attack surface reduction, credential hygiene, and lateral movement mitigations.

How to Mitigate against the MSHTML Zero-Day Exploit



Microsoft has already rolled out a fix for the MSHTML vulnerability as part of its Patch Tuesday updates on September 14.

Therefore, customers are advised to apply the security patch for CVE-2021-40444 to fully mitigate this vulnerability. Also, Microsoft has confirmed that the attack surface reduction rule blocks activity associated with exploitation of the MSHTML Zero-Day.

No comments