Elastic Security Intelligence & Analytics has identified additional behaviors related to or inspired by the disclosure of CVE-2021-40444, a remote code execution (RCE) vulnerability in MSHTML. This post provides an overview of detection capabilities related to this vulnerability. At this time we offer no information about the groups or individuals responsible.
On September 7, 2021, Elastic Security identified evidence that MSHTML vulnerabilities published by Microsoft as CVE-2021-40444 and targeting MSHTML were being exploited as observed in telemetry. As we have continued to monitor telemetry for evidence of exploitation attempts and successes, we wanted to share information and resources with the community around this cluster of emerging threat activity.
MSHTML is supported by multiple components of the Microsoft ecosystem, including browsers and other Internet-capable applications. For this reason, readers should be aware that affected attack surfaces may be significant.
In several customer environments, a weaponized document containing exploit code was delivered to users. Upon opening the document, a remote OLE object in the form of a CAB archive file was retrieved from an Internet-accessible location. In at least one environment, this execution chain resulted in the deployment of a COBALTSTRIKE payload, a well-known commercial offensive security tool used both legitimately and maliciously.
On September 9, 2021, Elastic released guidance describing Elastic Endpoint rules that target this exploitation activity described in the public repository:
A version of the Suspicious MS Office Child Process rule for Elastic Endgame users may be useful for detecting evidence of successful exploitation.
Table 1 described atomic indicators of compromise (IOCs) observed in this intrusion-set. IOCs observed by Elastic have been included for the community, and don't represent all IOCs associated with these or other intrusions.
|A letter before court 4.docx||OOXML Microsoft Office Document||938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52|
|championship.inf||COBALTSTRIKE Win32 DLL||6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b|