AUKUS; TeamTNT; Microsoft Exploit

Exploit Tools and Targets: Microsoft Zero-Day CVE-2021-40444 will Almost Certainly Continue to be Exploited Moving Forward

Microsoft, along with analysts at Mandiant, discovered a new zero-day (CVE-2021-40444) being leveraged in targeted attacks (1). CVE-2021-40444 is a remote code execution (RCE) vulnerability in MSHTML that can be used by Microsoft Office documents (2). Campaigns exploiting this vulnerability started in August 2021 and sent exploit documents downloading Cobalt Strike Beacon. The Threat actor relied on stealing credentials to move laterally. Infrastructure used in the attacks shows overlap with multiple threat actors associated with human-operated ransomware attacks. Analysts at RiskIQ have asserted with medium confidence ‘that the goal of the operators behind the zero-day may, in fact be traditional espionage’ (3).

CVE-2021-40444 will almost certainly continue to be exploited moving forward. With the effectiveness of phishing emails, Microsoft Office exploit documents have been a mainstay in threat actor toolsets for years (4). The vulnerability being RCE, already publicly weaponized (5) and usable in Microsoft Office documents gives it the traits to become a popular exploit for initial access moving forward. See the Microsoft blog for mitigation details (1) and the attached EclecticIQ JSON package for community sourced YARA rules.

Policy and Governance: AUKUS Shows a Continued Emphasis on Cyber Cooperation

The US, UK and Australia on September 15th, 2021 announced AUKUS, a joint security pact aimed at increasing security in the Asia-Pacific (6). The pact will provide Australia with nuclear propulsion technology and focus on developing Australia’s military capabilities. The U.S. and UK will also look to share their expertise in cyber, AI and quantum computing (7), allowing Australia to scale up its defensive and offensive capabilities.

Sharing cyber threat information and standards between private, public and international bodies, has and continues to be emphasized by western countries. As recently as last month, the Biden administration introduced an initiative to bolster U.S. cybersecurity capabilities by bringing together the government, enterprise and education sectors (8). The AUKUS pact shows a growing emphasis on cyber cooperation between key western allies while integrating U.S. and UK cyber capabilities with Australia to counter the emerging threats Australia and its partners face in the Asia-Pacific region (9).

Threat Actor Update: TeamTNT Returns Targeting a Wide Range of Systems

TeamTnT, a cloud-focused threat group (9) is active again, with their new campaign, Chimaera (10). The campaign targets multiple operating systems and applications with the goal of stealing cloud credentials, installing crypto mining software and enabling lateral movement. It has been active since July 25th, 2021 and so far has infected thousands of systems globally. TeamTnT use an array of custom and open-source tools to achieve their goals on the system. Some of the open-source tools TeamTnT are:

• Masscan (11)
• libprocesshider (12)
• 7z (13)
• b374k shell (14)
• Lazagne (15)

TeamTnT’s extensive use of open-source tools highlights how effective open-source capabilities are for a threat actor to achieve their goals. They reduce the barrier to entry, reduce the cost of operations, and valid tools, such as 7z, blend into the victim’s environment more effectively.

About EclecticIQ Threat Research 

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government. 

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

Appendix

1. https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/
2. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
3. https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/
4. https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf
5. https://www.bbc.com/news/world-58564837
6. https://foreignpolicy.com/2021/09/18/aukus-australia-united-states-submarines-china-really-means/
7. https://www.whitehouse.gov/briefing-room/statements-releases/2021/08/25/fact-sheet-biden-administration-and-private-sector-leaders-announce-ambitious-initiatives-to-bolster-the-nations-cybersecurity/
8. https://www.reuters.com/article/us-australia-cyber/australia-sees-china-as-main-suspect-in-state-based-cyberattacks-sources-say-idUKKBN23P3T5?edition-redirect=uk
9. https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf
10. https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera
11. https://github.com/robertdavidgraham/masscan
12. https://github.com/gianlucaborello/libprocesshider
13. https://www.7-zip.org/
14. https://github.com/b374k/b374k
15. https://github.com/AlessandroZ/LaZagne