Microsoft security researchers discovered the vulnerability with manipulated-Documents that are actively exploited on Windows systems in August. This week’s Patch Tuesday update included a patch for the previously unknown bug, which is listed as CVE-2021-40444.
The attacks were not widespread and the vulnerability was used as part of an early attack that distributed custom Cobalt Strike Beacon loaders. Cobalt Strike is a penetration testing tool.
According to Microsoft’s analysis of the attacks, the loaders were not the work of state-sponsored hackers, but rather communicated with an infrastructure that is associated with various cybercriminal campaigns, including ransomware.
The social engineering lures used in some of the attacks suggest an element of targeting, like this: The campaign pretended to seek a developer for a mobile application, targeting several application development organizations.
At least one company that was successfully compromised by this campaign had previously been compromised by a wave of similar malware, according to Microsoft. In a subsequent wave of attacks, however, application developers were no longer aimed at, but rather a petty litigation was threatened.
In this case, the attackers used the vulnerability in the IE rendering engine to load a malicious ActiveX control via an Office document.
Although the attackers got access to the affected devices, they relied on stealing credentials and sideways on the network to harm the entire company. Microsoft recommends customers apply Tuesday’s patch to fully address the vulnerability, but also recommends hardening the network, cleaning up critical credentials, and taking steps to prevent sideways movement.
Microsoft views this attack as the work of an emerging or developing threat actor and is tracking the use of the Cobalt Strike infrastructure as DEV-0365. It appears to be operated by a single operator. However, Microsoft assumes that follow-up activities, such as the Conti ransomware, were carried out. The software giant suspects that it could be a command and control infrastructure that is sold as a service to other cyber criminals.
Some of the infrastructures that hosted the oleObjects used in the August 2021 attacks that took advantage of CVE-2021-40444 were also involved in delivering BazaLoader and Trickbot payloads – activities that overlap with a group that Microsoft is tracking as DEV-0193. DEV-0193’s activities overlap with actions tracked by Mandiant as UNC1878, according to Microsoft.
The BazaLoader malware was used by malicious call center operators who use social engineering to trick target people into calling operators who are trying to get victims to voluntarily install malware. The groups do not use malicious links in the e-mails sent to the target persons, thus bypassing the usual e-mail filtering rules.