Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Microsoft warns that hackers are exploiting an unpatched zero-day present in several Windows and Office products. The bug enables malicious actors to gain remote code execution via malicious Office documents.
Researchers claim the vulnerability was observed in attacks targeting organizations that attended the NATO Summit in Vilnius.
Reportedly, threat actors impersonated the Ukrainian World Congress organization to trick the victims into accessing malicious documents. The next step was to install malware like the MagicSpell loader and the RomCom backdoor.
The phishing campaign attempting to spread the malicious files is conducted by a threat actor tracked as Storm-0978, also known as RomCom. Storm-0978 or RomCom is a Russian-based threat group and is known for ransomware and extortion attacks, and cyberespionage.
This time, its goal was to compromise defense and government entities in Europe and North America.
More about the Attack
Microsoft reports that in June 2023 Storm-0978 launched a phishing campaign „containing a fake OneDrive loader to deliver a backdoor with similarities to RomCom.”
The phishing emails were sent to various defense and government entities in Europe and North America. They used lures related to the Ukrainian World Congress.
Around the same time, Microsoft discovered another Storm-0978 conducted attack targeting different institutions. In that case, they detected ransomware activity that used the same initial payloads.
The Microsoft Zero-Day Vulnerability Details and Impact
CVE-2023-36884 is an Office and Windows HTML Remote Code Execution Vulnerability. Threat actors can exploit it for high-complexity attacks, and it does not require authentication or user interaction.
If the attack succeeds, hackers will be able to access sensitive information, disable system protection, and restrict access to the compromised system.
An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.
CVE-2023-36884 Mitigation Measures
For the moment, there is no available patch for the CVE-2023-36884 bug. However, according to Microsoft, all customers who use Microsoft Defender for Office are safe from malicious attachments that might try to exploit this vulnerability.
In addition, Microsoft recommends two other mitigation measures against the zero-day vulnerability:
- using the Block all Office applications from creating child processes Attack Surface Reduction Rule prevents exploiting CVE-2023-36884.
- for the organizations that cannot benefit from the previous measures, setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation is a solution. In this case, Microsoft warns:
Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.
Thus, the company recommends adding the following application names to the registry key as values of type REG_DWORD with data 1.:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
- Excel.exe
- Graph.exe
- MSAccess.exe
- MSPub.exe
- PowerPoint.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
Can Heimdal XDR detect this attack?