Microsoft states that their Defender for Endpoint products protect against CVE-2021-40444 (MSHTML). Do we have the same protection in Intercept X products?
Robert - Labs is working on this actively - you can follow twitter updates here: https://twitter.com/SophosLabs/status/1435368778200666112?s=20
Here is also some guidance from Paul Ducklin: https://nakedsecurity…
I would also like to know if there is a query we could run for this?
I am going to work on my own but figured someone more savvy may beat me to it.
Something where folderpath is mshtml.dll and initiating process maybe winword.exe
Here is also some guidance from Paul Ducklin: https://nakedsecurity.sophos.com/2021/09/08/windows-zero-day-mshtml-attack-how-not-to-get-booby-trapped/
For InterceptX, SophosLabs has seen this being used in the wild, and have already published protection for components including Troj/DocDl-AEEP, and for payloads including Troj/Agent-BHRO and Troj/Agent-BHPO.
We have published additional generic detections for this attack as well, including Exp/2140444-A for the initial DOCX attacks, Troj/JSExp-W for the remote HTML that the documents access, and Troj/Cabinf-A for the CAB.
@Alex - Checking on a query for you and will post it here for everyone.
Thank you for the information Brian!
Here is a pastebin of IoC's you could add to blocked items in Sophos Central https://pastebin.com/jpu4QF9i as an extra precaution
Nice! Thanks Alex.
Here is the link to 2 queries:https://community.sophos.com/intercept-x-endpoint/i/threat-hunting/query-if-cve-2021-40444-mshtml-mitigations-are-applied