On July 11, 2023, Microsoft launched its latest Patch Tuesday, consisting of 132 vulnerabilities, with six actively exploited and thirty-seven categorized as Remote Code Execution (RCE) vulnerabilities. Microsoft Threat Intelligece has identified threat actors abusing the recently disclosed vulnerability, CVE-2023-36884, in phishing campaigns containing malicious Word documents against government entities in Europe and North America. CVE-2023-36884 was disclosed along with three other vulnerabilities by Google TAG, no patches were released for those vulnerabilities and only mitigations are available.
Microsoft has published a dedicated article discussing
CVE-2023-36884, an Office and Windows HTML Remote Code Execution Vulnerability.
Microsoft is aware of these targeted attacks that attempt to exploit this
vulnerability using specially crafted Microsoft Office documents. A specially
crafted Office document allows an attacker to perform remote code execution.
However, for the exploit to succeed, the attacker must persuade the victim to
open the malicious Office document.
Storm-0978, also known as RomCom is a Russian threat actor
known for ransomware, espionage operations, and targeted credential collection
campaigns. Their most recent campaign was last detected in June 2023 involving
the abuse of CVE-2023-36884. The Storm-0978 cybercriminal group, operating from
Russia, is notorious for engaging in various illegal activities. These
activities include conducting ransomware and extortion operations as well as
targeted campaigns to collect credentials. The group is also known for
developing and distributing the RomCom backdoor and deploying Underground
Ransomware.
The underground ransomware is significantly connected to the
Industrial Spy Ransomware, which was detected in the wild in May 2022. In
addition, Microsoft has reported that a recent campaign identified in June 2023
used the CVE-2023-36884 exploit to distribute a backdoor that has similarities
to RomCom.
In October 2022, Storm-0978 began a series of phishing campaigns
by creating fake websites that resembled genuine software installers. The main
targets of this campaign were individuals associated with the Ukrainian
government and military organizations. The goal behind this activity was to
distribute RomCom malware and potentially obtain login credentials from key
individuals.
Recommendation from Microsoft for CVE-2023-36884:
- Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
- In current attack chains, the use of the Block all Office applications from creating child processes Attack Surface Reduction Rule will prevent the vulnerability from being exploited.
- Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.
- Add the following application names to this registry key as values of type REG_DWORD with data 1.:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
- Excel.exe
- Graph.exe
- MSAccess.exe
- MSPub.exe
- Powerpnt.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
Indicators | Indicator Type | Description |
---|---|---|
d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 | Sha256 | Underground Team Ransomware |
fb4ad5d21f0d8c6755eb4addba0ac288bd2574b6 | Sha1 | Underground Team Ransomware |
059175be5681a633190cd9631e2975f6 | Md5 | Underground Team Ransomware |
8a5c7fff7a7a52dca5b48afc77810142b003b9dae1c0d6b522984319d44d135a | SHA256 | Industrial Spy ransomware (debug build) |
dfd6fa5eea999907c49f6be122fd9a078412eeb84f1696418903f2b369bec4e0 | SHA256 | Industrial Spy ransomware |
5ed4ffbd9a1a1acd44f4859c39a49639babe515434ca34bec603598b50211bab | SHA256 | Industrial Spy ransomware |
62051ec55c990d2ff21f36a90115986e4ac0eada18306f39687e209f49f2c6ec | SHA256 | Industrial Spy market promoter trojan |
911153af684ef3460bdf568d18a4356b84efdb638e3e581609eb5cd5223f0010 | SHA256 | Industrial Spy market promoter trojan |
85ea71c910ebb00ba8cae266bf18400a15b08bd341e37e12083ab9a79ff6c943 | SHA256 | Industrial Spy market promoter trojan |
c96b098cab47c0a33d0b6d8f14b24e7c9ba897b0c59a2ac1f3dc608ca7a2ed7e | SHA256 | Industrial Spy market promoter trojan |
0 Comments