2 min

HP Wolf Security caught exploits of the zero-day CVE-2021-40444 a remote code execution vulnerability in the MSHTML browser engine that can be triggered by opening a malicious Microsoft Office document.

The flaw was caught a week before a patch was released for it. The latest HP Wolf Security Threat Insight Report details how cybercriminals continue to upgrade tactics, techniques, and procedures. It also gets into how sophisticated threats (zero-days and such) are rapidly filtering down to less advanced hackers.

A recent look at the CVE-2021-40444 flaw shows exploits generators emerged on public code-sharing websites days after the vulnerability was revealed.

Almost anyone can attack with advanced tactics

The exploit can allow attackers to control a system by tricking the victim into previewing a malicious Office document in File Explorer.

The user interaction needed is at most two clicks, with no indication to the user that they have been compromised. That allows the attackers enough time to enter the systems deeper and wreak more havoc without being detected.

This particular exploit is not just something advanced cybercriminals have a monopoly on. Proof of concept scripts shows that any person can weaponize the exploit.

The risk posed by emerging trends

In July and September, one of the emerging trends was cybercriminals piggybacking off legitimate cloud services like OneDrive, where their malware is hosted. With this tactic, they can slip past network security controls that rely on website reputation to keep users safe (web proxies and such).

HP also recorded an uptick in JavaScript and HTA (HTML Application) malware delivered through email attachments.

The file formats have been effective at hiding, allowing the attackers to reach employees’ inboxes. 12% of email malware isolated by HP Wolf Security in Q3 got past at least one email gateway scanner. Protection requires tools, zero trust principles, and protocols for incident detection and response.