Microsoft has once again warned users of an uptick in the frequency of MSHTML attacks. Since releasing a new patch in September last year, the software company has become aware of a flaw in its MSHTML that hackers can exploit. But what is the vulnerability, how are hackers using it, and how can you avoid becoming a victim?
What is MSHTML?
MSHTML, also known as Trident, was developed by Microsoft as a proprietary browser engine in the Windows version of Internet Explorer. It’s primarily used as a software component that allows software developers to add web browsing functionality to their applications. For example, developers could add a web browser control to a C++ program and then use MSHTML to access the page currently active in the web browser and retrieve data. Since launching with Internet Explorer in 1997, MSHTML has been used by numerous big-name software companies, including Google, AOL, and Skype. Unfortunately, this breadth of use and its facility for accessing browser data makes MSHTML a target for hackers.
The Trouble with CVE-2021-40444
CVE-2021-40444 is a flaw in Microsoft’s patch issued on September 8, 2021. This flaw allows hackers to use Office documents to drop malware on a system via a malicious embedded ActiveX control. There is no risk until the infected document is opened, at which point attackers can download content from an external source without triggering the “Protected Mode.” Windows usually uses Protected Mode to prevent access to content from potentially untrusted sources.
Who is Exploiting CVE-2021-40444?
In most of the attacks observed, hackers have used the Trident vulnerability to download a custom version of the Cobalt Strike Beacon loader, a tool used to scan networks for vulnerabilities.
According to Microsoft, a group that the company identifies as “DEV-0413” are the driving force behind many of these attacks, using the vulnerability to sell access to networks to ransomware-as-a-service (RaaS) operators. This group appears to be more sophisticated than earlier organizations, engaging in smaller, more targeted hacks. Their primary method of infecting networks is sending email “lures” that invite recipients to download an infected document.
The first type of lure involved developers’ emails regarding fake new software development opportunities. DEV-0413 then moved on to emails from fake lawyers suggesting the recipient was being taken to small claims court. These emails were pretty convincing and bore some resemblance to scams originating from an earlier group known to Microsoft as DEV-0365. This, and the fact that DEV-0413 appears to be targeting some companies previously targeted by DEV-0365, led Microsoft experts to believe that there is a significant connection between the two groups.
Northstarr Recommendations
The best way to avoid becoming a victim of hackers exploiting this weakness in MSHTML is to download Microsoft’s security patch, which fully mitigates the vulnerability. In the meantime, it always pays for any organization to train its employees in basic cyber security fully. For example, it’s a golden rule not to download an attachment that’s not from a trusted sender. Of course, even if an email does come from someone you trust, they may have had their email hacked. Therefore, if the email doesn’t read like something they would write or the attachment isn’t something they would typically send, get in touch with them by other channels to confirm it’s genuine before opening it. The internet remains a wild and dangerous place—stay safe out there.