Our colleagues at RiskIQ conducted their own analysis and coordinated with Microsoft in publishing this research. This blog details our in-depth analysis of the attacks that used the CVE-2021-40444, provides detection details and investigation guidance for Microsoft 365 Defender customers, and lists mitigation steps for hardening networks against this and similar attacks. ![]() #Cobalt strike beacon getting caught PatchCustomers are advised to apply the security patch for CVE-2021-40444 to fully mitigate this vulnerability. This illustrates the importance of investing in attack surface reduction, credential hygiene, and lateral movement mitigations. While these attacks used a vulnerability to access entry point devices and run highly-privileged code, the secondary actions taken by the attackers still rely on stealing credentials and moving laterally to cause organization-wide impact. Customers who enabled attack surface reduction rules to block Office from creating child processes are not impacted by the exploitation technique used in these attacks. The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document. These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders. #Cobalt strike beacon getting caught codeIn August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. SSO solution: Secure app access with single sign-on.Identity & access management Identity & access management.App & email security App & email security.
0 Comments
Leave a Reply. |
AuthorGreg ArchivesCategories |