Connect with us
MSHTML 0 day vulnerability exploited in Cobalt Strike attacks MSHTML 0 day vulnerability exploited in Cobalt Strike attacks

Security

MSHTML 0-day vulnerability exploited in Cobalt Strike attacks

Published

on

Hackers used malicious Office documents to deploy Cobalt Strike Beacon on Windows devices.

Microsoft revealed a targeted phishing campaign exploiting an already patched zero-day vulnerability in the MSHTML platform. During the campaign, attackers used specially configured Office documents to deploy Cobalt Strike Beacon to compromised Windows devices.

As explained by the Microsoft Threat Intelligence Center, the hackers exploited the CVE-2021-40444 vulnerability to gain initial access to networks and deploy custom Cobalt Strike Beacon loaders. These downloaders communicated with the infrastructure that Microsoft experts associate with a variety of malicious campaigns, including ransomware.

Details of CVE-2021-40444 (8.8 out of 10 on the CVSS vulnerability rating scale) surfaced on September 7 after EXPMON researchers notified Microsoft of a “high-tech zero-day attack” on Microsoft Office users. The experts explained that the attackers exploited a remote code execution vulnerability in MSHTML (Trident), a proprietary engine for the Internet Explorer browser that Office also uses to render web content in Word, Excel and PowerPoint documents.

The attack vector relies on a malicious ActiveX control that can be loaded by the browser rendering engine using a malicious Office document. Microsoft has released a patch for the vulnerability as part of its scheduled September Patch Tuesday.

According to the company, cybercriminal clusters DEV-0413 and DEV-0365 are behind the attacks. The second is an emerging cybercriminal group that builds and manages the Cobalt Strike infrastructure used in attacks. Earlier attempts to exploit the vulnerability by DEV-0413 date back to August 18th.

The exploit’s delivery mechanism relies on phishing emails with fake contracts and agreements posted on file-sharing sites. After opening the malicious document, a Cabinet archive file is loaded containing a DLL with the INF file extension, which, after unpacking, leads to the execution of a function inside the DLL. In turn, the DLL receives the shellcode (custom downloader Cobalt Strike Beacon) from the remote hosting and loads it into Microsoft’s tool for importing addresses.

Among other things, according to Microsoft, some of the infrastructures used by DEV-0413 to host malicious artifacts have also been implicated in the delivery of BazaLoader and Trickbot malware.

At least one company successfully hacked into DEV-0413 in August was compromised two months before the hack using malware that interacted with the DEV-0365 infrastructure.

Click to comment

Leave a Reply

Your email address will not be published.

Security

Hacker Hacked Fast Company’s Apple News Account and Spread Racist Messages

Published

on

Hacker Hacked Fast Companys Apple News Account and Spread Racist

An unknown hacker was able to access the business publication Fast Company’s Apple News account and sent out a series of obscene and racist messages via push notifications. Subscribers are the victims.

Hacker Hacked Fast Company's Apple News Account and Spread Racist Messages

Fast Company confirmed the hack, and so did Apple. The incident is currently under investigation.

Fast Company’s Apple News account was hacked Tuesday night. After that, two push notifications with obscene and racist content were sent with a minute interval. The messages are disgusting and do not match Fast Company content. We are investigating the incident and have also paused feed updates and closed FastCompany.com until we are confident the situation has been resolved.“, – noted in the publication.

Shortly before the shutdown, the hacker himself posted an entire article on the Fast Company website, where he described in detail how he managed to bypass the protection. It turned out that the accounts on the site were protected by the same password, this also applies to the account of the site administrator. Having gained access to them, the hacker was able to get to the authentication tokens and log in to Apple News.

At the same time, in addition to hooliganism, no financial losses or manipulations were recorded.

Continue Reading

Security

Young hacker who leaked GTA 6 material denies his guilt

Published

on

Young hacker who leaked GTA 6 material denies his guilt

The 17-year-old hacker, who was previously arrested in the UK on suspicion of hacking Rockstar Games and Uber, has pleaded not guilty. According to police, he appeared in court over the weekend, but refused to plead guilty to PC misuse. At the same time, he admitted that he violated the conditions of release on bail. Now he is being held in a juvenile detention center.

Young hacker who leaked GTA 6 material denies his guilt

According to investigators, the 17-year-old is part of the Lapsus$ hacker group and is behind the recent leak of videos and other details of the $2 billion GTA 6 game.

Earlier, a hacker under the nickname teapotuberhacker published an archive with video and source code from an early version of GTA 6, which has already gone viral. Take-Two tried to stop the spread of the leak, but it was only partially successful.

The hacker also said that it was he who attacked the Uber computer system, gaining access to correspondence, email addresses, and so on.

At the moment, the investigation is ongoing, so it is not yet clear how this story will end.

Continue Reading

Security

Cloudflare introduces world’s first eSIM with better security than VPN

Published

on

Cloudflare introduces worlds first eSIM with better security than VPN

Cloudflare has introduced a new solution that may be suitable for smartphone and mobile Internet users. We are talking about an eSIM card called Zero Trust SIM. Its peculiarity is that it provides an increased level of security, reducing the risk of number substitution.

Cloudflare introduces world's first eSIM with better security than VPN

In technical terms, we are talking about the transfer of DNS requests through the Cloudflare gateway, which allows you to protect them from interception and spoofing. Also promised is a check of all intermediate nodes through which the device accesses the Internet.

According to Cloudflare CTO John Graham-Cumming, Zero Trust SIM technology can outperform VPNs and other security systems as it provides cell-level protection.

Zero Trust SIM will launch first in the US, where only a virtual card for iOS and Android will be available at first. When activated, it will bind to a specific device and allow you to protect it. Physical maps are also expected in the future.

The company is also launching Zero Trust for Mobile Operators, an affiliate program for telecom operators that will enable them to offer subscriptions to the services and tools of the Zero Trust platform. In addition, a similar project is expected for the Internet of Things.

Continue Reading

Most Popular