Thursday, September 23, 2021 at 1:24 AM
The Russian state rocket center and the interior ministry are the targets of an MSHTML assault.
Malwarebytes has grounds to suspect that the MSHTML vulnerability identified as CVE-2021-40444 is being exploited to target Russian organizations, according to the company's research.
The Malwarebytes Intelligence team has intercepted email attachments that are intended for Russian companies alone, according to the company.
It is intended to appear like an internal communication inside JSC GREC Makeyev, which is the first template we discovered. A strategic asset of the country's military and industrial complex, the Joint Stock Company State Rocket Center named for Academician V. P. Makeyev is a leader in both the rocket and space industries. Aside from that, it is a leading producer of liquid and solid-fuel strategic rocket systems for use with ballistic missiles, making it one of Russia's most important research and development facilities for the development of rocket and space technologies.
It states that human resources is conducting a review of the personal information supplied by workers. The email invites workers to kindly complete the form and submit it to Human Resources, or to respond to the letter. When the recipient wishes to complete the form, they will need to allow editing on their end. And that action is sufficient to cause the exploit to be activated.
When the victim opens a malicious Office document, the attack relies on MSHTML loading a specially designed ActiveX control, which is loaded by MSHTML. The ActiveX component that has been loaded may then execute arbitrary code, infecting the machine with further malware.
In the second attachment, which we discovered, it is claimed to be from the Ministry of the Interior in Moscow. This kind of attachment may be used to target a number of different interesting targets at the same time.
It is uncommon for us to come across proof of cybercrimes directed against Russian targets. In light of the targets, particularly the first, we have reason to believe that a state-sponsored actor is behind these assaults, and we are working to determine where the attacks originated. We will keep you updated if and when any significant progress is made in this respect.
Vulnerability that has been patched
In some ways, the CVE-2021-40444 vulnerability is retro in nature (it includes ActiveX, remember that?) yet it is still relevant today. However, it has only lately been found. It didn't take long for threat actors to start posting Proof-of-Concepts (PoCs), tutorials, and vulnerabilities on hacker forums, making it possible for anybody to follow step-by-step instructions in order to launch their own cyberattacks.
Microsoft responded swiftly, publishing mitigation instructions that prevented the installation of new ActiveX controls, and managing to fit a fix into its latest Patch Tuesday release, just a few weeks after the issue was made public. The time it takes to develop a patch, on the other hand, is often dwarfed by the time it takes for users to apply it. Organizations, particularly big ones, are often discovered to be lagging behind when it comes to patching, thus we may expect to see more assaults like these in the future.