HP Wolf Security captured exploits of the zero-day CVE-2021-40444 — a remote code execution vulnerability in the MSHTML browser engine that can be triggered simply by opening a malicious Microsoft Office document — as early as September 8, a week before a patch was issued.
The latest HP Wolf Security Threat Insights Report shows how cybercriminals continue to innovate in their tactics, techniques, and procedures, and how sophisticated threats like zero-day exploits are rapidly filtering down to less-capable attackers. Looking at the recent CVE-2021-40444 vulnerability, exploit generators emerged on public code-sharing websites days after the vulnerability bulletin was released.
This exploit is ripe for abuse by attackers because they can gain control of a system simply by tricking a victim into previewing a malicious Office document in File Explorer. Because so little user interaction is required to exploit the vulnerability, victims are less likely to realize that their system has been compromised compared to other techniques, giving attackers a head start in achieving their objectives — whether it’s stealing data or holding a business to ransom.
This particular exploit isn’t limited to the most advanced cybercriminals, either. Proof of concept scripts that allowed almost anyone to weaponize the exploit appeared four days before a patch was available for organizations to install. As many organizations will still be deploying the patch, HP expects to see this vulnerability exploited more over the coming months.
To protect against zero-day exploits spread via malicious attachments, or stealthy threats that are slipping past detection tools, organizations need to make sure they are following zero trust principles — for example, by using threat isolation as part of a layered defense. This will protect the organization from the most common attack vectors like clicking on malicious links, attachments, and downloads, or visiting malicious web pages. Risky tasks are executed in disposable, isolated virtual machines, separated from the host operating system. If a user opens a malicious document, the malware is trapped — its operator has nowhere to go and nothing to steal. This renders malware harmless and helps keep organizations safe.
Read the full report by HP.