The Week in Breach: Windows zero-day MSHTML attack – how not to get booby trapped!

Make sure to add us or contact us for the latest news

Real-Time Service Alerts




Windows zero-day MSHTML attack – how not to get booby trapped!

“This can be mitigated really easily with user training,” Kelly Yeh, president of Chantilly, Va.-based Microsoft partner Phalanx Technology Group, tells CRN. “We call it layer eight problems — the layer between the chair and the desk is the biggest problem that IT guys always have.”

Details are scarce so far, but Microsoft is warning Office users about a bug that’s dubbed CVE-2021-40444, and described as Microsoft MSHTML Remote Code Execution Vulnerability.

The bug doesn’t have a patch yet, so it’s what’s known as a zero-day, shorthand for “the Good Guys were zero days ahead of the Bad Guys with a patch for this vulnerability.”

In other words: the crooks got there first.

A zero-day, shorthand for “the Good Guys were zero days ahead of the Bad Guys with a patch for this vulnerability.”

As far as we can tell, the treachery works like this:

  1. You open a booby-trapped Office file from the internet, either via an email attachment or by downloading a document from a criminal-controlled web link.
  2. The document includes an ActiveX control (embedded add-on code) that ought not to have unrestricted access to your computer.
  3. The ActiveX code activates the Windows MSHTML component, used for viewing web pages, exploits a bug in it to give itself the same level of control that you yourself would have right from the Windows desktop, and uses it to implant malware of the attacker’s choice.

MSHTML isn’t a full-on browser itself, but it forms the core “web engine” of Internet Explorer, and can be used on its own to create browsers or browser-like applications that need or want to display HTML files. Find out more here

HTML isn’t just for browsing

What this means is that HTML rendering bugs don’t just affect your browser and your browsing activity.

There are often many different ways for cybercriminals to poke a virtual stick into vulnerabilities in your operating system’s web rendering code, and thereby to probe for exploits, without needing your browser to be open at all.

That’s what CVE-2021-40444 seems to do, with the attack being delivered via Office files loaded into Word, Excel and so on, rather than by web pages viewed directly in your browser.

Although Microsoft no longer recommends the use of Internet Explorer, saying instead that “customers are encouraged to move to Microsoft Edge”, the features and the flaws of the MSHTML web rendering engine at the heart of Internet Explorer remain part of the operating system itself.

What to do?

  • Avoid opening documents you weren’t expecting.

    Don’t be tempted to look at content just because an email or a document happens to align with your interests, your line of work, or your current research. That doesn’t prove that the sender actually knows you, or that they can be trusted in any way – that information is probably publicly available via your work website or your own social media posts.

 

  • Don’t be tempted to break out of Office Protected View.

    By default, Office documents received via the internet (whether by email or web) open in a way that prevents active content such as Visual Basic macros and ActiveX controls from running. If you see a yellow bar at the top of the page, warning you that potentially dangerous parts of the document were not activated, resist clicking the [Enable Content] button, especially if the text of the document itself “advises” you to!

 

What we are advising our partners to do is be very vigilant and remind their staff to not open attachments they were not expecting or they are uncertain of. Make sure to lean your IT provider to vet attachments you are unsure of. We happily let our partners know if an attachment they send us to review is safe or not. We would rather be safe than sorry!

– https://nakedsecurity.sophos.com/2021/09/08/windows-zero-day-mshtml-attack-how-not-to-get-booby-trapped/

Dark Web ID’s Top Threats This Week


 

Pacific City Bank

https://securityaffairs.co/wordpress/121872/cyber-crime/pacific-city-bank-avos-locker-ransomware.html

Exploit: Ransomware

Pacific City Bank: Financial Institution

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.623 = Severe

 

Pacific City Bank, a California-based bank that focuses on the Korean-American community, was rocked by ransomware. The bank was hit by the AVOS Locker ransomware gang last week. On Saturday, September 4, 2021, the ransomware gang added the bank to its leak site and published some screenshots as proof of the hack including a ZIP archive that contains a series of documents allegedly stolen from the bank. The incident is under investigation.

Individual Impact: No information was available at press time to say if employee, customer or consumer financial details or PII was compromised in this incident but since it is a bank that’s highly likely.

Customers Impacted: Unknown

How It Could Affect Your Business: Ransomware gangs have been hungry for financial industry data and they’ve been stepping up attacks against targets that have it, especially small-time players that tend to have weak security.

IntegraMSP to the Rescue: What happens when you pay a ransom? Nothing good. See how the cash shakes down and how gangs make their money in Ransomware Exposed!. DOWNLOAD IT>>

DuPage Medical Group

https://www.chicagotribune.com/business/ct-biz-dupage-medical-group-breach-personal-information-20210830-frv74cy23nhftgufbwc3caknie-story.html

Exploit: Hacking

DuPage Medical Group: Healthcare Practice

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.636 = Severe

DuPage Medical Group is notifying 600,000 patients that their personal information may have been compromised during a July cyberattack. The largest independent physician group in Illinois experienced a computer and phone outage that lasted nearly a week in mid-July. Investigators determined that the incident was caused by unauthorized actors who accessed its network between July 12 and July 13.

cybersecurity news represented by agauge showing severe risk

Individual Risk: 1.866 = Severe

The investigators determined that files containing patient information including names, addresses, dates of birth, diagnosis codes, codes identifying medical procedures and treatment dates may have been exposed. For a small number of people, Social Security numbers may have been compromised.

Customers Impacted: 600,000 patients

How It Could Affect Your Business Exposed medical data isn’t just a disaster upfront. Big penalties from state and federal regulators can cause damage that’s hard to recover from.

IntegraMSP to the Rescue: Developing safe security practices is essential in today’s volatile threat atmosphere. Our Security Awareness Champion’s Guide helps explain complex risks in a fun way! DOWNLOAD IT>>

Career Group, Inc.

https://www.securityweek.com/recruiting-firm-apparently-pays-ransom-after-being-targeted-hackers

Exploit: Ransomware

Career Group, Inc.: Staffing Company

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.673=Severe

California-based staffing service Career Group, Inc. Experienced a data breach, between June 28 and July 7. In the company’s letter to regulators, it stated that it had received assurances from the cybercriminals involved that its data would be deleted, indicating a probable ransomware incident.

cybersecurity news represented by agauge showing severe risk

Individual Risk: 1.673=Severe

The company noted in a letter to the Maine Attorney General’s Office the fact that the stolen data included PII from applicants and placements including Social Security numbers, but no further details were available at press time.

Customers Impacted: 49,476

How It Could Affect Your  Business Staffing services are a goldmine for cybercriminals because they offer the opportunity to quickly score a large amount of desirable financial data and PII.

IntegraMSP to the Rescue: Make the most of opportunities to expand your MSP into security for at-risk sectors by leveraging the four essential elements for MSP success: Great Tech Stack, Culture, People, Processes. LEARN MORE>>


Howard University

https://wjla.com/news/local/howard-university-investigates-alleged-ransomware-attack

Exploit: Ransomware

Howard University: Institution of Higher Learning

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.917 = Severe

Howard University announced that they are investigating a ransomware attack. The incident disrupted online classes for several days. In person instruction was unaffected. The school’s Enterprise Technology Services (ETS) intentionally shut down the university’s network to investigate. So far, investigators have not found that any personal data on staff or students has been stolen.

Individual Impact: No information was available at press time about the types of data that was stolen if any.

Customers Impacted: Unknown

How It Could Affect Your Business Schools of every size have been prime targets for cybercriminals since the beginning of the pandemic, and that pressure is not relenting.

IntegraMSP to the Rescue:  See how to transform employees into security assets to become the real secret weapon that successful organizations deploy to fight cybercrime! WATCH NOW>>


1 – 1.5 = Extreme Risk

1.51 – 2.49 = Severe Risk

2.5 – 3 = Moderate Risk

Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors related to the assessed breach.