Another Reason to Patch – Potential Nexus Between Microsoft’s MSHTML Zero-Day Attacks and Ransomware Activity

Microsoft recently disclosed that its Windows MSHTML zero-day vulnerability may have possibly been exploited by ransomware gangs. The exploit, tracked as CVE-2021-40444, was revealed on September 7 when Microsoft acknowledged that it had observed the exploit used in limited targeted attacks. Microsoft released a patch for this vulnerability with its September 14th updates. In the first observed incidents, attackers utilized the vulnerability to deploy a custom Cobalt Strike Beacon loader. This same Cobalt delivery system has been connected to ransomware gangs such as Conti and Ryuk. Despite the potential criminal connections, researchers are still not sure if the threat actor behind the zero-day attacks is connected to a specific ransomware group. Experts at RiskIQ “assess with medium confidence that the goal of the operators behind the zero-day may, in fact, be traditional espionage. This goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.” In other words, this activity could be actors attempts to hide in plain sight among similar tactics. Regardless of the potential connection to ransomware, the uptick in exploitation activity represents another example of how quick threat actors are to incorporate newly disclosed exploits into their arsenal – once again emphasizing the importance of timely patching. Read more at SecurityWeek.