Security News > 2021 > September > CVE-2021-40444 exploitation: Researchers find connections to previous attacks

The recent targeted attacks exploiting the zero-day remote code execution vulnerability in Windows via booby-trapped Office documents have been delivering custom Cobalt Strike payloads, Microsoft and Microsoft-owned RiskIQ have shared.

The researchers also found connections between the attackers' exploit delivery infrastructure and an infrastructure previously used by attackers to deliver human-operated ransomware, the Trickbot trojan and the BazaLoader backdoor/downloader.

According to Microsoft, at least one organization that was compromised by the attackers was months ago compromised with malware that interacted with the infrastructure tied to ransomware operators wielding the Ryuk and Conti ransomware.

"Despite the historical connections, we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible. If the threat actors were part of these groups, it means they almost surely purchased the zero-day exploit from a third party because they have not previously shown the ability to develop exploit chains of this complexity," they added.

The limited nature of the attacks, the aforementioned repeated targeting of the same target, and the use of a zero-day seem to point more towards traditional espionage than ransomware attacks with pure monetary goals, though the researchers can't be sure of the attackers' goal.

RiskIQ has shared domains and IP addresses that have been used in the attacks, so defenders can block them.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/TEuud9m_u1A/