Attacks targeting a remote code execution vulnerability in Microsoft's MSHTML browser engine — which was patched last September — soared during the second quarter of this year, according to a Kaspersky analysis.
Researchers from Kaspersky counted at least 4,886 attacks targeting the flaw (CVE-2021-40444) last quarter, an eightfold increase over the first quarter of 2022. The security vendor attributed the continued adversary interest in the vulnerability to the ease with which it can be exploited.
Kaspersky said it has observed threat actors exploiting the flaw in attacks on organizations across multiple sectors including the energy and industrial sectors, research and development, IT companies, and financial and medical technology firms. In many of these attacks, the adversaries have used social engineering tricks to try and get victims to open specially crafted Office documents that would then download and execute a malicious script. The flaw was under active attack at the time Microsoft first disclosed it in September 2021.
The attacks targeting the MSHTML flaw were part of a broader set of exploit activity last quarter that overwhelmingly targeted Microsoft vulnerabilities. According to Kaspersky, exploits for Windows vulnerabilities accounted for 82% of all exploits across all platforms during the second quarter of 2022. While attacks on the MSHTML vulnerability increased the most dramatically, it was by no means the most exploited flaw.
Old Is Gold for Threat Actors
Kaspersky's telemetry showed far more attacks on a handful of other vulnerabilities from 2018 and 2017. One of them was CVE-2018-0802, a remote code execution (RCE) vulnerability in Microsoft Office that was attacked some 345,827 times last quarter. Another similar memory corruption flaw from 2017 (CVE-2017-11882) was targeted in 140,623 attacks while a Microsoft Office/WordPad remote code execution flaw also from 2017 (CVE-2017-0199) was involved in 60,132 attacks.
The so-called Follina vulnerability in Microsoft Support Diagnostic Tool (MSDT) (CVE-2022-30190) was among the most targeted of recent vulnerabilities. The RCE flaw was one of at least five zero-day flaws that Microsoft has disclosed this year.
In total, Kaspersky found vulnerabilities in older versions of Microsoft Office being used in attacks against more than half a million users in second quarter. The attacks are another reminder of how unpatched vulnerabilities in older technologies remain a popular and highly attractive target for threat actors, the security vendor noted. "Old versions of applications remain the main targets for attackers, with almost 547,000 users in total being affected through corresponding vulnerabilities in the last quarter," Kaspersky said.
Kaspersky's report is another reminder of why security experts advocate quick patching of Microsoft vulnerabilities. Recent data has shown attackers have gotten much faster at exploiting flaws than before. A study that Rapid7 conducted last year showed that the mean time to known exploitation for vulnerabilities in 2021 was just 12 days — a 71% decrease from 42 days in 2020. The company explained the numbers as being driven by a sharp rise in zero-day exploit activity. "A drastic reduction in time to exploitation year over year means that not only are well-worn emergency patching procedures necessary, incident response protocols are likely to require repeated use as well," Rapid7 noted at the time.