fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Windows MSHTML Zero-day Defenses Bypassed As New Info Emerges

Windows MSHTML Zero-day Defenses Bypassed As New Info Emerges

New details have emerged about the recent Windows CVE-2021-40444 zero-day vulnerability, how it is being exploited in attacks, and the threat actor’s ultimate goal of taking over corporate networks.

This Internet Explorer MSHTML remote code execution vulnerability, tracked as CVE-2021-40444, was disclosed by Microsoft on Tuesday but with few details as it has not been patched yet.

The only information shared by Microsoft was that the vulnerability uses malicious ActiveX controls to exploit Office 365 and Office 2019 on Windows 10 to download and install malware on an affected computer.

Since then, researchers have found the malicious Word documents used in the attacks and have learned new information about how the vulnerability is exploited.

Also Read: How Bank Disclosure Of Customer Information Work For Security

Why the CVE-2021-40444 zero-day is so critical

Since the release of this vulnerability, security researchers have taken to Twitter to warn how dangerous it is even though Microsoft Office’s ‘Protected View’ feature will block the exploit.

When Office opens a document it checks if it is tagged with a “Mark of the Web” (MoTW), which means it originated from the Internet.

If this tag exists, Microsoft will open the document in read-only mode, effectively blocking the exploit unless a user clicks on the ‘Enable Editing’ buttons.

Word document opened in Protected View
Word document opened in Protected View

As the “Protected View” feature mitigates the exploit, we reached out to Will Dormann, a vulnerability analyst for CERT/CC, to learn why security researchers are so concerned about this vulnerability.

Dormann told BleepingComputer that even if the user is initially protected via Office’s ‘Protected View’ feature, history has shown that many users ignore this warning and click on the ‘Enable Editing’ button anyway.

Dormann also warns that there are numerous ways for a document not to receive the MoTW flag, effectively negating this defense.

“If the document is in a container that is processed by something that is not MotW-aware, then the fact that the container was downloaded from the Internet will be moot. For example, if 7Zip opens an archive that came from the Internet, the extracted contents will have no indication that it came from the Internet. So no MotW, no Protected View.”

“Similarly, if the document is in a container like an ISO file, a Windows user can simply double-click on the ISO to open it. But Windows doesn’t treat the contents as having come from the Internet. So again, no MotW, no Protected View.”

“This attack is more dangerous than macros because any organization that has chosen to disable or otherwise limit Macro execution will still be open to arbitrary code execution simply as the result of opening an Office document.” – Will Dormann

To make matters even worse, Dormann discovered that you could use this vulnerability in RTF files, which do not benefit from Office’s Protected View security feature.

Microsoft has also shared mitigations to prevent ActiveX controls from running in Internet Explorer, effectively blocking the current attacks.

However, security researcher Kevin Beaumont has already discovered a way to bypass Microsoft’s current mitigations to exploit this vulnerability.

With these bypasses and additional use cases, CVE-2021-40444 has become even more severe than initially thought.

Also Read: Data Protection Framework: Practical Guidance for Businesses

How CVE-2021-40444 is currently used in attacks

While we do not have the actual phishing emails used in the attacks, Beaumont has analyzed the malicious Word document to understand better how the exploit works.

One of the known malicious Word attachments used in the attacks is named ‘A Letter before court 4.docx’ [VirusTotal] and claims to be a letter from an attorney.

Since the file was downloaded from the Internet, it will be tagged with the ‘Mark of the Web’ and opened in Protected View, as shown below.

Malicious Word document for the CVE-2021-40444 exploit
Malicious Word document for the CVE-2021-40444 exploit

Once a user clicks on the ‘Enable Editing’ button, the exploit will open an URL using the ‘mhtml’ protocol to a ‘side.html’ [VirusTotal] file hosted at a remote site, which is loaded as a Word template.

As ‘mhtml’ URLs are registered to Internet Explorer, the browser will be started to load the HTML, and its obfuscated JavaScript code will exploit the CVE-2021-40444 vulnerability by creating a malicious ActiveX control.

Obfuscated JavaScript in side.html file
Obfuscated JavaScript in side.html file

This ActiveX control will download a ministry.cab [VirusTotal] file from a remote site, extract a championship.inf [VirusTotal] file (actually a DLL), and execute it as a Control Panel ‘CPL’ file, as illustrated in the image below from a Trend Micro report.

Executing the championship.inf files as a CPL file
Executing the championship.inf files as a CPL file

TrendMicro states that the ultimate payload is installing a Cobalt Strike beacon, which would allow the threat actor to gain remote access to the device.

Once the attacker gains remote access to victims’ computers, they can use it to spread laterally throughout the network and install further malware, steal files, or deploy ransomware.

Due to the severity of this vulnerability, it is strongly advised that users only open attachments unless they come from a trusted source.

While Microsoft’s Patch Tuesday is next week, it is unclear if Microsoft will have enough time to fix the bug and adequately test it by then.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us