<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>It's just months since <a href="/blog/mitigating-the-ms-exchange-0-day-attacks" rel="noopener" target="_blank">Microsoft exposed four zero-day vulnerabilities</a> used to attack Exchange servers, and another round of Microsoft exploit havoc has already begun. This time they target OS we all know, and (at least most of us) love - Windows 10, as well as some Windows Server versions. The remote code execution (RCE) vulnerability, known as <span>CVE 2021-40444, is a bug in Internet Explorer's browser rendering engine "MSHTML". Although IE use has been declining for years, what makes this vulnerability so dangerous is that MS Office documents also use this rendering engine for browser-based content. In an </span><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444" rel="noopener" target="_blank">advisory</a> released by Microsoft, they explain that they are "<span>aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents”. While the company has revealed little about the nature of the zero-day, they have stated that CVE 2021-40444 is exploited via malicious ActiveX controls embedded in Office documents.</span></p> <!--more--> <p>Today, TrendMicro released an <a href="https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html" rel="noopener" target="_blank">analysis</a> of multiple document samples exploiting this vulnerability to download Cobalt Strike payloads, using the following domains:</p> <p>&nbsp;</p> <table width="246" style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2; height: 298px; width: 312px;"> <tbody> <tr style="height: 21px;"> <td style="height: 21px; width: 120px;"><strong>Domain</strong></td> <td style="height: 21px; width: 192px;"><strong>Function</strong></td> </tr> <tr style="height: 21px;"> <td style="height: 21px; width: 120px;">joxinu[.]com</td> <td style="height: 21px; width: 192px;">C&amp;C Server</td> </tr> <tr style="height: 39px;"> <td style="height: 39px; width: 120px;">dodefoh[.]com</td> <td style="height: 39px; width: 192px;">C&amp;C Server</td> </tr> <tr style="height: 21px;"> <td style="height: 21px; width: 120px;">pawevi[.]com</td> <td style="height: 21px; width: 192px;">C&amp;C Server</td> </tr> <tr style="height: 39px;"> <td style="height: 39px; width: 120px;">hidusi[.]com</td> <td style="height: 39px; width: 192px;">Malware Accomplice</td> </tr> <tr style="height: 39px;"> <td style="height: 39px; width: 120px;">sagoge[.]com</td> <td style="height: 39px; width: 192px;">Malware Accomplice</td> </tr> <tr style="height: 39px;"> <td style="height: 39px; width: 120px;">comecal[.]com</td> <td style="height: 39px; width: 192px;">Malware Accomplice</td> </tr> <tr style="height: 39px;"> <td style="height: 39px; width: 120px;">rexagi[.]com</td> <td style="height: 39px; width: 192px;">Malware Accomplice</td> </tr> <tr style="height: 39px;"> <td style="height: 39px; width: 120px;">macuwuf[.]com</td> <td style="height: 39px; width: 192px;">Malware Accomplice</td> </tr> </tbody> </table> <p>&nbsp;</p> <p style="text-align: left;">While these domains only hit the security spotlight today, they were already identified by Farsight last month. <a href="/blog/premium-feed-threatstop-nod-powered-by-farsight" rel="noopener" target="_blank">ThreatSTOP integrates Farsight's Newly Observed Domains</a> into our blocklists as one of over 800 threat intelligence sources. This allows users to block newly registered domains recognized by Farsight's <span>Passive DNS network of sensors around the world, such as the domains leveraging CVE 2021-40444. The domain pawevi[.]com has an especially long track record with us, showing up in botnet-related threat targets.</span></p> <p style="text-align: left;"><img src="https://www.threatstop.com/hubfs/farsight_nod_msexploit.png" alt="farsight_nod_msexploit" width="2000" height="681" loading="lazy" style="width: 2000px;"><span style="font-size: 12px;"><em>Image: ThreatSTOP's <a href="https://check-ioc.threatstop.com/" rel="noopener" target="_blank">CheckIOC</a></em></span></p> <p><span>To be protected, there are two critical actions you should take:</span></p> <ul> <li><span>Take Microsoft's advice on handling the situation. While a patch for the vulnerability has yet to be released, Microsoft has recommended a number of </span><span><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444" rel="noopener" target="_blank">mitigations and workarounds.</a></span><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444" target="_blank" rel="noopener"></a><br><span></span></li> <li>Better still, block these attacks BEFORE they happen. In addition to temporary band-aids created post-attack for each vulnerability, organizations should be using high quality threat intelligence to block malicious infrastructure from the first time it's abused - not the tenth. At ThreatSTOP, <a href="/blog/block-threats-before-famous" rel="noopener">we block attacks before they become famous</a>.</li> </ul> <p style="text-align: center; font-weight: bold;">&nbsp;</p> <p style="text-align: center; font-weight: bold;"><em>Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?</em></p> <p></p></span>