FLASH NOTICE:
  Microsoft Issues Warning for Remote Code Execution Vulnerability

Need to Report an Incident? Call +1 (877) 707-7997

Flash Notice – Microsoft Issues Warning for Remote Code Execution Vulnerability

LockFile
Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

Overview

On September 7, 2021, Microsoft released a statement warning of targeted attacks attempting to exploit a remote code vulnerability found in Office 365 and Office 2019 on Windows 10. The vulnerability involves a zero-day remote code execution in MSHTML, which is Internet Explorers main HTML component.

CVE-2021-40444 is a vulnerability that becomes exploited when attackers create specially crafted, malicious Microsoft Office documents using ActiveX control. After sending the document, the attacker then tries to convince the victim to open the document so they can gain user rights on a system. Victims with administrative user rights over documents are more susceptible to these attacks than those who have less user rights.

Cyber Security researchers state that the exploit uses logical flaws and is dangerous – with a rating of 8.8 out of 10 on the Common Vulnerability Scoring System. There are currently no patches for the vulnerability, but Microsoft has published mitigations and workarounds to help keep your organization safe. If you have not already taken the steps to help protect your systems, please do so now by reading our recommendations below.

 

CVEs

CVE-2021-40444

 

 

How Avertium is Protecting Our Customers

We are currently pushing known IoCs to our managed SIEMs.

 

Recommendations

  • Don’t open documents without being sure of the origin.
  • Disable ActiveX controls in Internet Explorer.
  • Be sure all documents from the internet are opened in Protected View or in Application Guard for Office. Opening in these programs ensures protection when opening documents from unknown/unexpected senders. Opening in Protected View or in Application Guard is Microsoft’s default, but you should never disable it.

 

Indicators of Compromise (IoCs)

  • https://joxinu.com/ml[.]html
  • http://45.147.229[.]242:22
  • http://45.147.229[.]242:443
  • http://dodefoh[.]com/
  • 6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b
  • https://dodefoh.com/hr[.]html
  • https://dodefoh[.]com/tab_shop_active
  • http://hidusi[.]com/e8c76295a5f9acb7/
  • 1d2094ce85d66878ee079185e2761beb
  • 53b31e513d8e23e30b7f133d4504ca7429f0e1fe
  •  938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52
  • http://dodefoh[.]com
  • http://hidusi[.]com/e8c76295a5f9acb7/ministry.cab
  • http://hidusi[.]com/e8c76295a5f9acb7/side.html
  • dodefoh[.]com
  • hidusi[.]com
  • 0b7da6388091ff9d696a18c95d41b587
  • 4c80dc9fb7483214b1613957aae57e2a
  • e770385f9a743ad4098f510166699305
  • 56a8d4f7009caf32c9e28f3df945a7826315254c
  • 6c10d7d88606ac1afd30b4e61bf232329a276cdc
  • e5f2089d95fd713ca3d4787fe53c0ec036135e92
  • 1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00
  • d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6
  • 104.194.10[.]21
  • 45.147.229[.]242
  • http://dodefoh[.]com/tab_shop_active
  • http://joxinu[.]com/ce
  • http://joxinu[.]com/tab_shop_active
  • joxinu[.]com
  • bd4b9f4b79f8a9eedc12abe3919cecb041c61022485b87b3a5cdfd1891e30670
  • macuwuf[.]com
  • http://dodefoh[.]com/ml.html?dbprefix=false
  • http://dodefoh[.]com/static-directory/media.gif
  • http://dodefoh[.]com:443/
  • http://joxinu[.]com/hr.html?dbprefix=false
  • https://dodefoh[.]com/static-directory/media.gif
  • https://macuwuf[.]com/get_load
  • 108.62.118[.]69
  • 45.153.241[.]127
  • 23.106.160[.]25
 
 

References

https://www.bleepingcomputer.com/news/security/microsoft-shares-temp-fix-for-ongoing-office-365-zero-day-attacks/ 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

https://redmondmag.com/articles/2021/09/07/microsoft-warns-malicious-office-docs.aspx

https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653

https://redmondmag.com/articles/2021/09/07/microsoft-warns-malicious-office-docs.aspx

https://support.microsoft.com/en-us/topic/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba4

Catch up on recent threat reports: “The PrintNightmare Continues”

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates