The MSHTML zero day in Windows that Microsoft patched this week has been in use by attackers since at least late August, and research from Microsoft and RiskIQ shows that some of the infrastructure used in the campaigns exploiting the bug has also been used by a highly active ransomware group.
The first indications of the new Windows vulnerability (CVE-2021-40444) surfaced on Aug. 21 when a Mandiant researcher posted some information about a malicious Office document. Microsoft researchers looked at the document and found some indicators that it was abusing a previously unknown vulnerability. A couple weeks later, on Sept. 7, Microsoft issued an advisory about the flaw and warned customers that attackers were already exploiting it. Within days, exploits for the flaw were circulating publicly and in private forums.
“As a routine in these instances, Microsoft was working to ensure that the detections described in the advisory would be in place and a patch would be available before public disclosure. During the same time, a third-party researcher reported a sample to Microsoft from the same campaign originally shared by Mandiant. This sample was publicly disclosed on September 8. We observed a rise in exploitation attempts within 24 hours,” Microsoft’s Threat Intelligence Center said in a new analysis of the exploitation activity against the vulnerability.
The MSTIC researchers found that some of the infrastructure used in the initial attacks shared some characteristics and overlapped with infrastructure used in separate attacks that delivered Trickbot and BazaLoader malware. Those attacks are associated with a group that Mandiant calls UNC1878, which is known to use several different ransomware strains, as well. Researchers at RiskIQ, which Microsoft acquired recently, also found indications that the same infrastructure was in use for the ransomware campaigns and exploitation of CVE-2021-40444.
“RiskIQ’s Team Atlas assesses with high confidence that the operators behind the deployment of the zero-day exploit and Cobalt Strike BEACON implants are using infrastructure that shares historical connections to a large, loosely-related criminal enterprise given the names WIZARD SPIDER (CrowdStrike), UNC1878 (FireEye), and RYUK (Public). These groups are known to use the Conti and Ryuk malware families in targeted, so-called Big-Game Hunting ransomware campaigns aimed at large enterprises,” the company said.
“The association of a zero-day exploit with a ransomware group, however remote, is troubling."
It’s quite unusual for a ransomware group to use a zero day in its operations, as most of those groups rely on other, much simpler methods for initial access to networks. Some groups will buy initial access from other attackers who have previously compromised an organization, while others will employ simple phishing attacks that lead to credential theft or direct deployment of the ransomware.
“The association of a zero-day exploit with a ransomware group, however remote, is troubling. It suggests either that turnkey tools like zero-day exploits have found their way into the already robust ransomware-as-a-service (RaaS) ecosystem or that the more operationally sophisticated groups engaged in traditional, government-backed espionage are using criminally controlled infrastructure to misdirect and impede attribution,” RiskIQ’s researchers said.
“Despite the historical connections, we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible. If the threat actors were part of these groups, it means they almost surely purchased the zero-day exploit from a third party because they have not previously shown the ability to develop exploit chains of this complexity.”
There are now several different attack groups using exploits for the vulnerability in active attacks, so organizations should deploy the patch MIcrosoft released this week as quickly as possible.