Updated on 27/07/2023
On July 11th, Microsoft announced they had uncovered a zero-day bug found in numerous Windows and Office products with a criticality score of 8.3. Concerningly, this vulnerability, which is being tracked CVE-2023-36884, is already being exploited in the wild, with a nation-state backed group as well as other criminal groups leveraging it to carry out remote code execution via weaponized Office documents.
Threat Actor Group Storm-0978
The vulnerability is being used in highly-targeted phishing campaigns performed by threat actor group Storm-0978. Also known as RomCom, owing to the name of the backdoor they developed, this Russia-based group is already well-known for ransomware and credential-harvesting campaigns. In this particular campaign, phishing emails pose as invitations to Ukrainian World Congress-related events and contain links to Word docs that when clicked on, leverage CVE-2023-36884 to install backdoors.
According to Microsoft Threat Intellegence’s blog, “Storm-0978 operates, develops, and distributes the RomCom backdoor….The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.”
Government Agencies are Main Targets
First spotted in June 2023, these emails target government agencies in Europe and North America but this is far from the first time Storm-0978/RomCom has gone after these high value targets, using the situation in the Ukraine as a lure. In December, the group was able to compromise the email account of the Ukrainian Ministry of Defense, which was then used to send emails with infected PDFs hosting malware that stole information. In October, they were spotted creating fake websites which targeted members of the Ukrainian Government.
They have also been involved in multiple financially motivated attacks as well, leveraging ransomware strains such as Industrial Spy, Underground, and Trigona as of recent.
In Microsoft’s advisory they state: “An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”
If performed successfully, this could enable attackers to “access sensitive information, turn off system protection, and deny access to the compromised system”, says Bleeping Computer.
What Can be Done to Address CVE-2023-36884?
- No Patch Available Yet – Currently there is no patch available for CVE-2023-36884.
- According to Microsoft, systems that enable Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
- As best practice, you should also implement Block all Office applications from creating child processes ASR Rule.
- In addition, Microsoft says that setting up FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key will prevent the attack. In addition, using this workaround won’t require rebooting the machine. It is recommended to reboot the related office application. Microsoft also noted that: “…while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.
Identifying CVE-2023-36884 with XM Cyber
The XM Cyber Research team added CVE-2023-36884 to the XM platform, to identify the vulnerability in XM Attack Path Management module and Vulnerability Management module.
Similar to other vulnerabilities, organizations lack context and visibility of which machines are at risk and which users could be exploited, which makes it very hard to know what to tackle first and how. With XM Cyber you can identify the exploitability of CVE-2023-23397 in your organization, in a prioritized manner.