Security News > 2021 > November > Hackers exploit Microsoft MSHTML bug to steal Google, Instagram creds
A newly discovered Iranian threat actor is stealing Google and Instagram credentials belonging to Farsi-speaking targets worldwide using a new PowerShell-based stealer dubbed PowerShortShell by security researchers at SafeBreach Labs.
They target Windows users with malicious Winword attachments that exploit a Microsoft MSHTML remote code execution bug tracked as CVE-2021-40444.
"Almost half of the victims are located in the United States. Based on the Microsoft Word document content - which blames Iran's leader for the 'Corona massacre' and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran's Islamic regime," said Tomer Bar, Director of Security Research at SafeBreach Labs.
The CVE-2021-40444 RCE bug impacting IE's MSTHML rendering engine has been exploited in the wild as a zero-day starting with August 18, more than two weeks before Microsoft issued a security advisory with a partial workaround, and three weeks before a patch was released.
Microsoft also said multiple threat actors, including ransomware affiliates, targeted this Windows MSHTML RCE bug using maliciously crafted Office documents delivered via phishing attacks.
It's not surprising that more and more attackers are using CVE-2021-40444 exploits since threat actors started sharing tutorials and proof-of-concept exploits on hacking forums even before the bug was patched.
News URL
Related news
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- Hackers exploit critical bug in Array Networks SSL VPN products (source)
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
- Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-09-15 | CVE-2021-40444 | Path Traversal vulnerability in Microsoft products <p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. | 0.0 |