Gone Phishing: CVE-2021-40444

Gone Phishing: CVE-2021-40444

The Cybersecurity & Infrastructure Security Agency (CISA), the federal bureau responsible for monitoring the computer systems connected to important national infrastructure as well as informing the general public on cyber security threats, recently released an announcement relating to a hacking scheme targeting Windows computers. This scheme exploits a vulnerability in the Windows' HTML code called CVE-2021-4044. An attacker exploiting this vulnerability could remotely invade a computer by convincing someone to download a Microsoft Word or Rich Text file that would trigger the execution of a line of code inserted into the CVE-2021-4044 vulnerability, enabling them to take full control of the system. Cybersecurity consultant Rich Warren demonstrates a dummy version of this on his Twitter page. In the video, which shows both the normal Windows interface and a window displaying the HTML code, a compromised file is downloaded and opened. Even without interacting with the content of the document, the code begins working and opens up the Microsoft calculator app without input from the user. Of course, opening up the Windows calculator is benign in the grand scheme of things, but a true attacker could conceivably instruct the computer to do anything from downloading sensitive information on the hard drive to using the computer to commit crimes.

Fortunately, a recent Windows security update has patched this vulnerability. According to Microsoft, anyone who employs automatic Windows updates doesn't need to take additional action to protect themselves, though they do advise everyone to make sure any third-party security software (i.e. Norton Antivirus, McAfee, etc.) is kept up to date as well.

Gone Phishing

Exploits like the one described above are often used in phishing schemes, a form of cyber fraud wherein a criminal either steals or convinces someone to voluntarily give up their personal information. This could include everything from Social Security numbers to banking information to account passwords. Often, a hacker will masquerade as someone a user is familiar with to create a sense of trust and urgency, which facilitates the acquisition of private information. They may claim to be a family member, coworker, or popular technology brand. For example, they may doctor their emails with a Microsoft logo to give the appearance of legitimacy before sending an email claiming there has been a security breach in someone's OneDrive account that only be remedied by giving their sign in credentials to the Microsoft "representative" who sent the email... right now before it's too late! Though phishing schemes are usually associated with emailing, they can be accomplished over the phone too. As such, it's advisable to be suspicious about any phone call from a person claiming to be a representative for a system you use, such as Windows, that also begins prying for personal information. Most legitimate companies will not reach out to their customers to retrieve their credentials or other private info.

What distinguishes the CVE-2021-40444 attacks from other schemes is their automation. The code sets to work derailing someone's computer as soon as the compromised file is opened. This means that a hacker would never have to explicitly ask someone for their information; they would just need to convince someone to download and open a document, one that uses a commonplace file format no less. A hacker pretending to be coworker could send a simple email where they ask for some feedback on a workplace letter or a flyer, for example. An untrained worker whose mind may not be preoccupied with cybersecurity would be none the wiser.

Preventing Phishing

There are numerous tools and tactics firms can use to protect themselves against online fraudsters. The simplest strategy, as we mentioned above, is to have reliable security software and keep it updated. For a firm with a large staff, this is likely going to entail some centralization--a dedicated IT team remotely pushing out the necessary updates to every terminal in a firm's network, rather than leaving that responsibility to individual users. It also helps to have clear, written policies relating to password security and sharing. For instance, employees should be aware that their coworkers and supervisors should never solicit information about credentials over email, and there should be easily understandable procedures in place for reporting instances where someone from within the firm appears to be probing for secured information. Lastly, having a reliable managed IT team can help you create a security infrastructure that will prevent these sorts of attacks. To learn more about how Titan Tech can help keep your firm and your workers safe, visit their website.

If you would like more information on reliable tactics for preventing and reporting phishing schemes, visit the Federal Trade Commission's public page on the subject.

And join us next week for more tech news.