IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers used MSHTML exploit a week before patches were ready

New report finds cyber criminals automating exploit creation to help less capable hackers

Hackers are moving faster than organizations can keep up with the misuse of zero-day exploits, according to a new report.

In HP Wolf Security’s latest “Quarterly Threat Insights Report,” researchers said advanced cyber criminals were exploiting the new CVE-2021-40444 remote code execution zero-day a week before the patch was issued on September 14. 

CVE-2021-40444 is a remote code execution vulnerability that enables the exploitation of the MSHTML browser engine using Microsoft Office documents.

Security researchers said that three days after the initial threat bulletin, the HP threat research team saw scripts designed to automate the creation of this exploit being shared on GitHub.

“Unless patched, the exploit enables attackers to compromise endpoints with very little user interaction. It uses a malicious archive file, which deploys malware via an Office document,” said researchers.

They added that users don’t have to open the file or enable macros. Just viewing it in File Explorer’s preview pane is enough to initiate the attack, which a user often will not know has happened. Once a device is compromised, attackers can install backdoors to systems to sell to ransomware groups.

The report also uncovered other findings. The researchers found that 12% of email malware isolated had bypassed at least one gateway scanner. They also found that 89% of malware detected was delivered via email, while web downloads were responsible for 11%, and other vectors, like removable storage devices, were responsible for less than 1%.

The most common attachments used to deliver malware were archive files at 38%, up from 17.26% last quarter. Following that were Word documents (23%), spreadsheets (17%), and executable files (16%).

The report also found that the top five most common phishing lures were related to business transactions, such as “order,” “payment,” “new,” “quotation,” and “request.”

Alex Holland, the senior malware analyst with the HP Wolf Security threat research team, said the average time for a business to apply, test, and fully deploy patches with the proper checks is 97 days. This allows cyber criminals to exploit this “window of vulnerability.” 

"While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less knowledgeable and resourced threat actors. This increases the risk to businesses substantially, as zero-day exploits are commoditized and made available to the mass market in venues like underground forums," he added.

“Such novel exploits tend to be effective at evading detection tools because signatures may be imperfect and become obsolete quickly as the understanding of the scope of an exploit changes. We expect threat actors to adopt CVE-2021-40444 as part of their arsenals, and potentially even replace common exploits used to gain initial access to systems today, such as those exploiting Equation Editor.”

Featured Resources

The 3D skills report

Add 3D skills to your creative toolkits and play a sizeable role in the digital future

Free Download

The increasing need for environmental intelligence solutions

How sustainability has become a major business priority and is continuing to grow in importance

Free Download

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

Solve global challenges with machine learning

Tackling our word's hardest problems with ML

Free Download

Recommended

Threat hunting for MSPs
Whitepaper

Threat hunting for MSPs

10 Jan 2023
IBM LinuxONE for dummies
Whitepaper

IBM LinuxONE for dummies

4 Jan 2023
Six myths of SIEM
Whitepaper

Six myths of SIEM

3 Jan 2023
Storage's role in addressing the challenges of ensuring cyber resilience
Whitepaper

Storage's role in addressing the challenges of ensuring cyber resilience

3 Jan 2023

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023