Microsoft's Latest Patch Tuesday Reveals 132 Vulnerabilities and Active Exploitation: CVE-2023-36884 Targeted by Russian Threat Actor Storm-0978


Microsoft launched its latest Patch Tuesday, consisting of 132 vulnerabilities, with six actively exploited and thirty-seven categorized as Remote Code Execution (RCE) vulnerabilities.

On July 11, 2023, Microsoft launched its latest Patch Tuesday, consisting of 132 vulnerabilities, with six actively exploited and thirty-seven categorized as Remote Code Execution (RCE) vulnerabilities. Microsoft Threat Intelligece has identified threat actors abusing the recently disclosed vulnerability, CVE-2023-36884, in phishing campaigns containing malicious Word documents against government entities in Europe and North America. CVE-2023-36884 was disclosed along with three other vulnerabilities by Google TAG, no patches were released for those vulnerabilities and only mitigations are available.

Microsoft has published a dedicated article discussing CVE-2023-36884, an Office and Windows HTML Remote Code Execution Vulnerability. Microsoft is aware of these targeted attacks that attempt to exploit this vulnerability using specially crafted Microsoft Office documents. A specially crafted Office document allows an attacker to perform remote code execution. However, for the exploit to succeed, the attacker must persuade the victim to open the malicious Office document.

Storm-0978, also known as RomCom is a Russian threat actor known for ransomware, espionage operations, and targeted credential collection campaigns. Their most recent campaign was last detected in June 2023 involving the abuse of CVE-2023-36884. The Storm-0978 cybercriminal group, operating from Russia, is notorious for engaging in various illegal activities. These activities include conducting ransomware and extortion operations as well as targeted campaigns to collect credentials. The group is also known for developing and distributing the RomCom backdoor and deploying Underground Ransomware.

The underground ransomware is significantly connected to the Industrial Spy Ransomware, which was detected in the wild in May 2022. In addition, Microsoft has reported that a recent campaign identified in June 2023 used the CVE-2023-36884 exploit to distribute a backdoor that has similarities to RomCom.

In October 2022, Storm-0978 began a series of phishing campaigns by creating fake websites that resembled genuine software installers. The main targets of this campaign were individuals associated with the Ukrainian government and military organizations. The goal behind this activity was to distribute RomCom malware and potentially obtain login credentials from key individuals.

Recommendation from Microsoft for CVE-2023-36884:

  • Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
  • In current attack chains, the use of the Block all Office applications from creating child processes Attack Surface Reduction Rule will prevent the vulnerability from being exploited.
  • Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.
  • Add the following application names to this registry key as values of type REG_DWORD with data 1.:
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
    1. Excel.exe
    2. Graph.exe
    3. MSAccess.exe
    4. MSPub.exe
    5. Powerpnt.exe
    6. Visio.exe
    7. WinProj.exe
    8. WinWord.exe
    9. Wordpad.exe

Indicators Indicator Type Description
d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 Sha256 Underground Team Ransomware
fb4ad5d21f0d8c6755eb4addba0ac288bd2574b6 Sha1 Underground Team Ransomware
059175be5681a633190cd9631e2975f6 Md5 Underground Team Ransomware
8a5c7fff7a7a52dca5b48afc77810142b003b9dae1c0d6b522984319d44d135a SHA256 Industrial Spy ransomware (debug build)
dfd6fa5eea999907c49f6be122fd9a078412eeb84f1696418903f2b369bec4e0 SHA256 Industrial Spy ransomware
5ed4ffbd9a1a1acd44f4859c39a49639babe515434ca34bec603598b50211bab SHA256 Industrial Spy ransomware
62051ec55c990d2ff21f36a90115986e4ac0eada18306f39687e209f49f2c6ec SHA256 Industrial Spy market promoter trojan
911153af684ef3460bdf568d18a4356b84efdb638e3e581609eb5cd5223f0010 SHA256 Industrial Spy market promoter trojan
85ea71c910ebb00ba8cae266bf18400a15b08bd341e37e12083ab9a79ff6c943 SHA256 Industrial Spy market promoter trojan
c96b098cab47c0a33d0b6d8f14b24e7c9ba897b0c59a2ac1f3dc608ca7a2ed7e SHA256 Industrial Spy market promoter trojan