The most heated conversation during the week has been about the Advisory released by Microsoft on 7th September 2021 on the zero-day vulnerability CVE-2021-40444 which affects MSHTML components of Internet Explorer on Windows 10 and many Windows Server versions as well.
To exploit this, an adversary would craft an ActiveX Control to be used by Microsoft Office documents that host a browser as its rendering engine. Whereas, on the other side, the user would have to open the malicious file and grant access by clicking on ‘enable editing’. On doing this, Internet Explorer will be used to load HTML and its obfuscated JavaScript code crafted by the adversary creating a malicious ActiveX Control.
On successful exploitation, TrendMicro has identified the installation of Cobalt Strike Beacon, which would allow the threat actor to gain remote access to the device. The end user’s machine would now be compromised and available to the attacker to breach information, run malware or move laterally to gain access over other machines and compromise the network.
Microsoft has now released a patch for this vulnerability on 14th September, however, DNIF provides hunting content to detect any compromises by this vulnerability. DNIF is a HyperScale SIEM that can ingest, enrich, store and correlate cybersecurity data while bringing benefits of a SIEM, UEBA, and SOAR into one single integrated product stack.
Hunting for compromises using DNIF
The exploitation of zero-day vulnerability would create a process on the execution of malicious document spawning control.exe.
Response steps to be taken if compromised
- Isolate the machine from the network to disconnect attackers access from the network
- Identify the file that compromised the machine, get to know the source – email or website
- If it was from an email, identify all recipients receiving the email and recall them. Block the sender. Investigate all identified machines for file executions, consider them compromised.
- If it was from a website, identify all users accessing the URL, block the URL in your network and consider the users compromised.
- Investigate network connections from the compromised host or users.
- Delete the malicious identified file and its dependencies.
- Investigate common drop points/ registry entries in the compromised machine for the eradication of malicious entities.
- Reset passwords for compromised accounts.