Flash Notice: Microsoft Zero-Day Exploited by Russian Threat Actor

overview

A remote code execution (RCE) vulnerability exists in Microsoft Office and Windows HTML. The vulnerability is tracked as CVE-2023-36884 and is being exploited by the Russian threat actor Storm-0978 (also known as RomCom). The group is using the vulnerability in a phishing campaign that targets defense organizations, as well as government organizations in Europe and North America.  

Storm-0978 is deploying a backdoor called RomCom via Windows documents with themes relevant to the Ukrainian World Congress. Storm-0978 specializes in opportunistic ransomware, extortion, and targeted credential-stealing campaigns possibly linked to intelligence activities. According to Microsoft, ransomware attacks have been identified in the telecommunications and financial industries, among others. 

Although Microsoft has not issued a patch for CVE-2023-36884 they have provided recommendations on how organizations can protect themselves:  

• Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884. 
• In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited 
• Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.  Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. 
• Add the following application names to this registry key as values of type REG_DWORD with data 1: 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

• Excel.exe
• Graph.exe
• MSAccess.exe
• MSPub.exe
• PowerPoint.exe
• Visio.exe
• WinProj.exe
• WinWord.exe
• Wordpad.exe

If you haven't already done so, please refer to Microsoft's recommendations and implement them immediately. According to Microsoft's advisory, the CVE will be regularly updated with additional information and links to security updates as soon as they are released.

avertium's recommendationS

• Microsoft Defender for Office 365 - Microsoft’s advisory states that Microsoft Defender for Office 365 customers are protected from attachments that attempt to exploit CVE-2023-36884.

• Enable cloud-delivered protection in Microsoft Defender Antivirus or your antivirus product's equivalent to safeguard against rapidly evolving attacker tools and techniques. Cloud-based machine learning defenses effectively block most new and unknown variants.
• Enable block mode for EDR in Microsoft Defender for Endpoint to proactively block malicious artifacts, even if your non-Microsoft antivirus fails to detect the threat or when Microsoft Defender Antivirus is in passive mode. EDR in block mode operates discreetly to remediate malicious artifacts identified after a breach.
• Use Microsoft Defender for Office 365 to strengthen phishing protection and defend against emerging threats and polymorphic variants. Defender for Office 365 users should enable Safe Attachments and Safe Links protection, along with Zero-hour Auto Purge (ZAP), to promptly eliminate emails if a URL becomes malicious after delivery.
• Microsoft 365 Defender customers have the option to enable attack surface reduction rules, blocking common attack techniques employed in ransomware attacks.
• Block all Office applications from creating child processes.

INDICATORS OF COMPROMISE (IoCs)

Microsoft Defender for Endpoint - Microsoft’s advisory states that alerts with the following title(s) in the security center can indicate activity on your network: Emerging threat activity group Storm-0978 detected.

How Avertium is Protecting Our CUSTOMERS

Avertium’s Capability Development Team found several detections for activity related to Storm-0978/RomCom.

Please Note: These detections could have a high volume of false positives if script interpreters or shell processes are launched as part of normal activity. I.e., Excel being used to launch PowerShell to gather live data.

SUPPORTING DOCUMENTATION