Heimdal
article featured image

Contents:

Microsoft warns that hackers are exploiting an unpatched zero-day present in several Windows and Office products. The bug enables malicious actors to gain remote code execution via malicious Office documents.

Researchers claim the vulnerability was observed in attacks targeting organizations that attended the NATO Summit in Vilnius.

Reportedly, threat actors impersonated the Ukrainian World Congress organization to trick the victims into accessing malicious documents. The next step was to install malware like the MagicSpell loader and the RomCom backdoor.

The phishing campaign attempting to spread the malicious files is conducted by a threat actor tracked as Storm-0978, also known as RomCom. Storm-0978 or RomCom is a Russian-based threat group and is known for ransomware and extortion attacks, and cyberespionage.

This time, its goal was to compromise defense and government entities in Europe and North America.

More about the Attack

Microsoft reports that in June 2023 Storm-0978 launched a phishing campaign „containing a fake OneDrive loader to deliver a backdoor with similarities to RomCom.”

The phishing emails were sent to various defense and government entities in Europe and North America. They used lures related to the Ukrainian World Congress.

Source

Source

Around the same time, Microsoft discovered another Storm-0978 conducted attack targeting different institutions. In that case, they detected ransomware activity that used the same initial payloads.

The Microsoft Zero-Day Vulnerability Details and Impact

CVE-2023-36884 is an Office and Windows HTML Remote Code Execution Vulnerability. Threat actors can exploit it for high-complexity attacks, and it does not require authentication or user interaction.

If the attack succeeds, hackers will be able to access sensitive information, disable system protection, and restrict access to the compromised system.

An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.

Source

CVE-2023-36884 Mitigation Measures

For the moment, there is no available patch for the CVE-2023-36884 bug. However, according to Microsoft, all customers who use Microsoft Defender for Office are safe from malicious attachments that might try to exploit this vulnerability.

In addition, Microsoft recommends two other mitigation measures against the zero-day vulnerability:

  • for the organizations that cannot benefit from the previous measures, setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation is a solution. In this case, Microsoft warns:

Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

Thus, the company recommends adding the following application names to the registry key as values of type REG_DWORD with data 1.:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • PowerPoint.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe
  • Wordpad.exe

Source

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE