On October 14th, the SOC at iSecurity observed an active threat where C2 traffic was attempting to contact beacons to the below-mentioned IP addresses. These IPs have recently been identified on threat lists for facilitating Qakbot and other forms of botnet activity (see references).
It is recommended that block actions be enabled for these IoC’s. Any indicators of traffic to or from these hosts, or indicators for the presence of the specified file / hash should be cause for further investigation. Also please find below a copy of the original iSecurity bulletin detailing the CVE-2021-40444 zero-day vulnerability and its workarounds that were sent out on September 14th.
Microsoft has published information regarding a zero-day remote code execution vulnerability that exploits MSHTML via a crafted ActiveX control. Successful exploit of MSHTML in this instance raises process privileges allowing it to covertly download malware to the compromised endpoint.
There are no patches available at this time from Microsoft, but mitigation of the vulnerability is possible by closing the vectors of attack by: 1) Disabling ActiveX; and 2) Increasing organizational vigilance for Social Engineering attacks.
Until a patch is available, it is recommended that ActiveX be disabled via Group Policy if possible. To disable ActiveX via Group Policy, complete the following:
In Group Policy settings, navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
For each zone, complete the following:
The initial vector for this vulnerability also hinges on a user likely opening a suspicious Office file containing the crafted ActiveX control. An increased vigilance for social engineering attacks via Microsoft Office products (primarily Word docs sent via email) can therefore further mitigate this vulnerability. This may include redistributing educational materials reiterating the signs of suspicious emails and attachments. These materials may include the following points:
Further workaround details can be found here: Security Update Guide – Microsoft Security Response Center
Microsoft has yet to reveal the complete details, but we do know that the vector of attack is via a crafted ActiveX control. When accessed (likely by opening a suspicious Word document or another Office file), the MSHTML process privilege is escalated equal to that of the active user. If the user is an administrator or possesses sufficient rights, this will grant the MSHTML process sufficient privilege to request the download of malware to the endpoint.
The attacker’s objective in this instance is to initiate compromise and gain a foothold on the network.
Lastly, to those who are leveraging our 24/7 Healthcare Security Operations Center (SOC) / SIEM, your network is being monitored and we will provide regular updates. To those who are not – please feel free to reach out to firstname.lastname@example.org or email@example.com and we will add you to our distribution list.
We will also provide updates to organizations we are servicing through our Incident Response Retainer.
Do not panic but stay safe and protected. We can always connect with you 1-on-1 to provide better guidance on how to gain better visibility into your controls, network, dark web, privileged user access protection and active threat hunting. The landscape around ransomware has evolved as the Healthcare sector is willing to pay ransom and malicious threat actors are now stronger than ever.
Please go ahead and share this with your peers.
For any other questions or concerns, please feel free to reach out to firstname.lastname@example.org.
The iSecurity Team