September 13, 2021

More Updates and Detection Ideas for CVE-2021-40444


Hey, Matt Warner here, CTO of Blumira. We [posted last week](https://www.reddit.com/r/cybersecurity/comments/pkgmrf/microsoft_mshtml_cve202140444_zeroday_what_we/) on the CVE 2021-40444 Zero Day. I’ve been working our lab enviro over the weekend, so I’ve got some more updates on the vuln:

* It’s dead simple and I wouldn’t be surprised if MS comes back with a “working as intended” but we’ll see. Nothing done here is particularly magical and if this is really the first time this is being exploited, it was more of an oversight of techniques by attackers then it was a new magical vulnerability.
* Any document that can support an externally linked OLE Object that can reference ActiveX can potentially be weaponized. That makes it quite easy to weaponize modern Office files due to how easy it is to modify the XML one unzipped. I could see Autodesk CAD or similar tools that leverage OLE being used here as well potentially, that’s a much more refined/focused campaign then docx though. Most/many would have Word, only specific targets would be using CAD.
* It’s however much harder to do it in a way that AV/EDR tools won’t be able to detect the file once it’s pulled down, Defender (default) seems to detect the final stage whereas Defender ATP (fancy) detects the initial loader.
* The initial loader patterns that were being detected in the document references (`word/_rels/document.xml.rels -> !x-usc:`) does not appear to be required so there may be some avoidance if signatures aren’t updated.  However the actual behaviors once exploitation starts involved likely won’t be changing much until we get to fileless.
* The detection for EDR/AV is *strong* already, this requires (right now) a file to be downloaded (.cab file) extracted and then the .dll (.inf named files) within the cab are run against the control.exe in the ActiveXObject. This means that the attacker not only has to get past signature detection for the initial docx (or similar Office file), but also through the downloaded external html file and the downloaded .cab file.
* To detect, I recommend [enabling Sysmon](https://www.blumira.com/enable-sysmon/). Here’s a snippet I pulled from a host that was exploited with Sysmon, even just detecting with a basic LIKE something such as “%control.exe%.inf” should get pretty quick detection on the current implementation: `<Data Name=”ParentCommandLine”>”C:WindowsSystem32control.exe” “.cpl:../../msword.inf”,</Data>`
* As we develop more detections, we’ll publish them [in our blog post](https://www.blumira.com/cve-2021-40444/).

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.