Security News Hackers Exploiting Microsoft Office 0-day Vulnerability to Deploy Malware

[Brownie2019]

Content source

https://cybersecuritynews.com/microsoft-office-0-day-vulnerability-exploited/

The Russia-linked threat group UAC-0001, also known as APT28, has been actively exploiting a critical zero-day vulnerability in Microsoft Office.
The group is using this flaw to deploy sophisticated malware against Ukrainian government entities and European Union organizations.
The vulnerability, identified as CVE-2026-21509, was disclosed by Microsoft on January 26, 2026, with warnings about active exploitation in the wild.
Within 24 hours of Microsoft’s public disclosure, threat actors had already weaponized the vulnerability.
Rapid Exploitation After Disclosure

Read more here:

https://cybersecuritynews.com/microsoft-office-0-day-vulnerability-exploited/

 

[Bot]

Read more here:

https://cybersecuritynews.com/microsoft-office-0-day-vulnerability-exploited/

The CVE in that excerpt (CVE-2026-21509) appears to be real, and it is flagged as being exploited in the wild — but the APT28 / “UAC-0001” attribution in the quoted text should be treated as unconfirmed unless you can corroborate it with a primary source (e.g., Microsoft, CERT-UA, or another national CERT).

What can be verified from more reliable sources

• CVE-2026-21509 is a Microsoft Office “security feature bypass” issue described as “reliance on untrusted inputs in a security decision,” allowing an attacker to bypass a security feature locally (typically meaning after the victim opens a crafted file). NVD - CVE-2026-21509
• It is listed as “This CVE is in CISA’s Known Exploited Vulnerabilities Catalog” with Date Added 01/26/2026 and a remediation due date of 02/16/2026 (per the NVD’s KEV section). NVD - CVE-2026-21509
• Multiple security advisories summarize it as an out-of-band Office update from Microsoft dated January 26, 2026, with active exploitation noted (but without public attacker attribution from Microsoft). Microsoft Office vulnerability (CVE-2026-21509) in active exploitation

Why the “APT28 did it” part is shaky
Microsoft often confirms “active exploitation” without naming the actor or victims. Unless Microsoft (or a national CERT / reputable incident-response report) directly ties exploitation of CVE-2026-21509 to APT28, third-party articles can be mixing:

• a real exploited vulnerability, with
• a plausible actor based on historical targeting patterns, but not proven attribution

So, it’s safer to phrase it as: “CVE-2026-21509 is being exploited; some reporting attributes activity to APT28, but Microsoft has not publicly confirmed attribution.”

Practical defensive steps (low-risk, high-value)

• Patch Office immediately across the estate (priority). Treat this as urgent because it is exploited-in-the-wild and KEV-listed. NVD - CVE-2026-21509
• Reduce exposure to malicious attachments while patching:
  • Block or heavily filter Office attachments from external senders where feasible
  • Use Protected View / Mark-of-the-Web enforcement and avoid opening unexpected documents
• Add/verify monitoring for common “document exploitation → payload” chains (these are generic but useful signals):
  • Office spawning cmd.exe / powershell.exe / wscript.exe / cscript.exe / mshta.exe / rundll32.exe
  • Suspicious child processes or script execution immediately after opening a document

Bottom line
Treat CVE-2026-21509 as a real, actively exploited Office issue that should be patched immediately; treat the APT28/UAC-0001 attribution in that specific article as unverified unless supported by Microsoft or a national CERT report.

Sources

• NVD - CVE-2026-21509
• Microsoft Office vulnerability (CVE-2026-21509) in active exploitation
• Worrying Microsoft Office security flaw patched - update now or risk hackers accessing your files
• Article

 

[Parkinsond]

Does blocking internet connection to Office components solve the problem?

 

[Divergent]

Technical Analysis & Remediation

MITRE ATT&CK Mapping

Initial Access
(T1566.001) Phishing: Spearphishing Attachment .

Execution
(T1204) Client Execution

(T1059) Command and Scripting Interpreter

Persistence
(T1053.005) Scheduled Task/Job - Task Name: "OneDriveHealth"

(T1546.015) Event Triggered Execution: Component Object Model Hijacking .

(T1102) Command and Control: Web Service: File/Data Transfer - Abuse of filen.io.

CVE Profile

ID
CVE-2026-21509

Status
Active Exploitation (Confirmed by CERT-UA).

Vector
Local exploitation via weaponized DOC files triggering remote code execution via WebDAV.

Live Evidence Extraction (IOCs)

"Anchor" Strings

Filename
"Consultation_Topics_Ukraine(Final).doc" *

Payloads
"EhStoreShell.dll"
"SplashScreen.png" (Shellcode container)

Persistence Task
"OneDriveHealth"

Network C2
"filen.io" (Legitimate service abuse)

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Blast Radius
Query SIEM for process execution involving EhStoreShell.dll or network connections to filen.io originating from Office binaries (WINWORD.EXE).

Network Isolation
Immediately block outbound WebDAV traffic and connections to filen.io at the perimeter firewall until the investigation is complete.

Tactical Hardening
Deploy Microsoft’s recommended registry-based mitigations for CVE-2026-21509 immediately, as patches may be delayed.

Phase 2: Eradication

Forensic Artifact Removal
Delete the scheduled task named "OneDriveHealth".

Scan for and remove the malicious artifacts: EhStoreShell.dll and SplashScreen.png.

Registry Cleaning
Audit and revert any unauthorized modifications to COM object registrations in the Windows Registry.

Phase 3: Recovery

Validation
Verify system integrity by monitoring for re-creation of the malicious scheduled task or unusual rundll32.exe activity.

Restoration
Re-image compromised endpoints if lateral movement (COVENANT framework usage) is suspected.

Phase 4: Lessons Learned

Detection Engineering
Implement SIGMA rules to detect Office applications spawning shells or creating scheduled tasks.

Governance
Review policy regarding the opening of unsolicited documents, specifically those utilizing "External" or "WebDAV" templates.

Remediation - THE HOME USER TRACK

Priority 1: Safety (Disconnection & Scanning)

Disconnect
Immediately disconnect the device from the internet (Wi-Fi/Ethernet) to sever the link to the attacker's C2 server.

Scan
Run a full offline scan using Microsoft Defender or a reputable AV solution. Specifically look for files named Consultation_Topics_Ukraine(Final).doc.

Priority 2: Persistence Removal

Task Check
Open "Task Scheduler" and look for a task named "OneDriveHealth". If found, right-click and Delete it immediately.

File Check
Search your drive for EhStoreShell.dll. If found outside of a trusted Windows directory (verify hash), delete it.

Priority 3: Identity

Credential Reset
Since the COVENANT framework implies post-exploitation control, assume credentials on the device are compromised. Reset passwords for email, banking, and social media from a clean device.

Hardening & References

Baseline
CIS Benchmark for Microsoft Office (Enable "Block all Office applications from creating child processes").

Framework
NIST SP 800-61r2 (Incident Handling Guide - Section 3.2.3: Interaction with Third Parties regarding C2 takedowns).

Reference
CERT-UA Alert regarding UAC-0001/APT28 activity.

Sources

Cyber Security News

External References & Technical Citations

CERT-UA