MS Office ActiveX CVE-2021-40444 summary:
🎯No macros needed - normal detections & mitigations fail.
🎯No word from MS on patch ETA
🎯Can in some cases be executed in Explorer Preview mode. (RTF older O365 client?) - h/t -
1/x
🎯No macros needed - normal detections & mitigations fail.
🎯No word from MS on patch ETA
🎯Can in some cases be executed in Explorer Preview mode. (RTF older O365 client?) - h/t -
https://twitter.com/buffaloverflow/status/1435607956205326336
1/x
🎯Defender defs of 1.349.22.0+ (9/2) should catch it if AV is used. MS Identifies as O97M/Donoff.SA (may be ways to mitigate detection)
🎯These are normal docx files & not anything special.
🎯Supposedly Protected mode and/or App Guard will prevent it.
2/x
https://twitter.com/GossiTheDog/status/1435712249516146688
🎯These are normal docx files & not anything special.
🎯Supposedly Protected mode and/or App Guard will prevent it.
2/x
🎯Potentially up to 1 month of history of general exploitation. h/t-
🎯You can find history of execution in the HKCU hive and payload/c2. h/t-
3/x
https://twitter.com/GossiTheDog/status/1435590826902577152
🎯You can find history of execution in the HKCU hive and payload/c2. h/t-
https://twitter.com/SwiftOnSecurity/status/1435769942331301889
3/x
🎯Microsoft can detect it for Defender but has not openly shared this with other AV vendors at this time.
🎯Samples out there are dropping CobaltStrike Beacons going back at least 1 week. h/t -
4/x
https://twitter.com/GossiTheDog/status/1435722743522148354
🎯Samples out there are dropping CobaltStrike Beacons going back at least 1 week. h/t -
https://twitter.com/ShadowChasing1/status/1433252128106029061
4/x
🎯Does not require ActiveX so is not fixed by the mitigation in MS's CVE Bulletin - h/t -
🎯Multiple detections out there or in the works -
github.com/SigmaHQ/sigma/…
5/x
https://twitter.com/GossiTheDog/status/1435570418623070210
🎯Multiple detections out there or in the works -
https://twitter.com/decalage2/status/1435640605149908992
https://twitter.com/SBousseaden/status/1435723625433284614
github.com/SigmaHQ/sigma/…
5/x
Thank you to the community for sharing all the info above!!! This is far worse than I think most people realize and I am seriously considering blocking all docx at the edge until Microsoft can patch this. Be safe out there and I hope this summary helps you!
6/6
6/6
Some bonus content and links:
KQL detections -
Mitigation ideas -
Current known hashes/samples -
KQL detections -
https://twitter.com/rodtrent/status/1435575112431030278
Mitigation ideas -
https://twitter.com/CyberRaiju/status/1435828464884457473
https://twitter.com/arekfurt/status/1435805022521118721
Current known hashes/samples -
https://twitter.com/JAMESWT_MHT/status/1435611959928426512
Extraction technique -
oletools detection script -
Confirmation PPTs are affected -
https://twitter.com/Max_Mal_/status/1435887213930328066
oletools detection script -
https://twitter.com/decalage2/status/1435876726731649028
Confirmation PPTs are affected -
https://twitter.com/buffaloverflow/status/1435919671006539781
Another update from Microsoft on the original bulletin which now includes disabling the shell extension for previewing in Explorer: msrc.microsoft.com/update-guide/v…
It also includes the advice to use GPO settings to disable the installation of signed or unsigned ActiveX controls. This seems well and good combined with disabling the shell extension for previews in Explorer but I am not sure this covers all ways this can be exploited. Hmm
• • •
Missing some Tweet in this thread? You can try to
force a refresh
