overview

This week, Microsoft patched two zero-day vulnerabilities (CVE-2023-36884 and CVE-2023-38180). These vulnerabilities are part of Microsoft's August 2023 Patch Tuesday, which also includes security updates for 87 vulnerabilities. Both of these vulnerabilities were exploited in cyberattacks, and one of them was publicly disclosed prior to the patch release. 

CVE-2023-36884 

CVE-2023-36884 is a remote code execution vulnerability that was previously patched. The vulnerability allowed attackers to craft Microsoft Office documents in a way that circumvented the Mark of the Web (MoTW) security feature. This allowed the files to be opened without triggering a security warning, ultimately enabling remote code execution. To counteract a previously mitigated but actively exploited CVE-2023-36884 flaw, Microsoft has introduced an Office Defense in Depth update. 

The Russian threat actor Storm-0978/RomCom is responsible for actively exploiting this vulnerability. This group, previously recognized for deploying the Industrial Spy ransomware in their attacks, has now rebranded as 'Underground' and extorts victims through their ransomware operations. 

CVE-2023-38180 

Microsoft also addressed CVE-2023-38180 which has been actively exploited and could potentially lead to Distributed Denial of Service (DDoS) attacks on .NET applications and Visual Studio. However, Microsoft has not provided further details regarding the specific exploitation methods employed or revealed the identity of the discoverer of the vulnerability.  

Cybersecurity engineer Nikolas Cemerikic at Immersive Labs stated that while an attacker would need to be within the same network as the target system, the vulnerability doesn't require the attacker to have acquired user privileges on the target system. Avertium suggests that all organizations follow the appropriate security recommendations and promptly apply patches. 

 

 

avertium's recommendationS

  • CVE-2023-36884 
    • Microsoft suggests the installation of both the Office updates detailed in their advisory and the Windows updates released in August 2023. The last update for the advisory was August 9, 2023. 
  • Storm-0978/RomCom 
    • Enable cloud-delivered protection in Microsoft Defender Antivirus or your antivirus product's equivalent to safeguard against rapidly evolving attacker tools and techniques. Cloud-based machine learning defenses effectively block most new and unknown variants.  
    • Enable block mode for EDR in Microsoft Defender for Endpoint to proactively block malicious artifacts, even if your non-Microsoft antivirus fails to detect the threat or when Microsoft Defender Antivirus is in passive mode. EDR in block mode operates discreetly to remediate malicious artifacts identified after a breach. 
    • Microsoft 365 Defender customers have the option to enable attack surface reduction rules, blocking common attack techniques employed in ransomware attacks. 
    • Block all Office applications from creating child processes. 
  • CVE-2023-38180 
    • Although Microsoft has not provided any details for CVE-2023-38180, they have released an update for the vulnerability which you can find in their advisory 

 

 

INDICATORS OF COMPROMISE (IoCs)

RomCom 

  • FileHash-MD5 
    • 00ad6d892612d1fc3fa41fdc803cc0f3 
    • 6f47723e5fc6e96ab5e9f96f6bc585fa 
    • d227874863036b8e73a3894a19bd25a0 
    • f4959e947cee62a3fa34d9c191dd9351 
  • FileHash-SHA1 
    • 04e3be2ff570eb1a479925560103af5d22961983 
    • 2400b169ee2c38ac146c67408debc9b4fa4fca5f 
    • 3de83c6298a7dc6312c352d4984be8e1cb698476 
  • FileHash-SHA256 
    • 0501d09a219131657c54dba71faf2b9d793e466f2c7fdf6b0b3c50ec5b866b2a 
    • 07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d 
    • 1a7bb878c826fe0ca9a0677ed072ee9a57a228a09ee02b3c5bd00f54f354930f 
    • 3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97 
    • a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f 
    • e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539 
  • URLs 
    • hxxp://104.234.239.26/share1/MSHTML_C7 
    • hxxp://104.234.239.26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ 
    • hxxp://65.21.27.250:8080 
    • hxxp://65.21.27.250:8080/mds/O--------------------------http://65.21.27.250:8080/mds/D--------------------------http://65.21.27.250:8080/mds/S-------------------------- 
    • hxxp://74[.]50.94.156/MSHTML_C7/o2010.asp?d=99.99.99.99* 
    • hxxp://74[.]50.94.156/MSHTML_C7/start.xml 
    • hxxp://74[.]50.94.156/MSHTML_C7/zip_k.asp?d=34.141.245.25_f68f9_ 
    • hxxp://74[.]50.94.156/MSHTML_C7/zip_k.asp?d=99.99.99.99. 
    • hxxp://74[.]50.94.156/MSHTML_C7/zip_k2.asp?d=34.141.245.25_f68f9_ 
    • hxxp://74[.]50.94.156/MSHTML_C7/zip_k2.asp?d=99.99.99.99. 
    • hxxp://74[.]50.94.156/MSHTML_C7/zip_k3.asp?d=34.141.245.25_f68f9_ 
    • hxxp://74[.]50.94.156/MSHTML_C7/zip_k3.asp?d=99.99.99.99. 
    • hxxp://74[.]50.94.156/share1/MSHTML_C7/1/ 
    • hxxp://finformservice[.]com:80/api/v1.5/ 
    • hxxp://finformservice[.]com:80/api/v1.5/subscriptiontoken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MTIzNDU2Nzg5LCJuYW1lIjoiSm9zZXBoI 
  • Domains 
    • Altimata[.]org 
    • Bentaxworld[.]com 
    • Finformservice[.]com 
    • Penofach[.]com 
    • Ukrainianworldcongress[.]info 
    • Dashboard[.]penofach[.]com 

 

 

How Avertium is Protecting Our CUSTOMERS

  • Avertium’s Capability Development Team found several detections for activity related to Storm-0978/RomCom. 
    • Please Note: These detections could have a high volume of false positives if script interpreters or shell processes are launched as part of normal activity. I.e., Excel being used to launch PowerShell to gather live data. 

Suspicious Microsoft Office Child Process 

Detects a suspicious process spawning from one of the Microsoft Office suite products. 

Microsoft Office spawning script interpreter  

Detects when an office application is attempting to spawn a script interpreter. 
  • Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap. 
  • Fusion MXDR for Microsoft combines Avertium's Fusion MXDR approach with Microsoft Security Solutions, creating the first MDR offering that integrates all aspects of security operations into an active and threat-informed XDR solution. Leveraging Microsoft's comprehensive and cost-effective technology, Fusion MXDR for Microsoft delivers a release of cyber energy, encompassing implementation, optimization, ongoing management, and tuning. 






SUPPORTING DOCUMENTATION

RomCom Threat Actor Suspected of Targeting Ukraine's NATO Membership Talks at the NATO Summit - AlienVault - Open Threat Exchange 

Flash Notice: Microsoft Zero-Day Exploited by Russian Threat Actor (avertium.com) 

Microsoft Patch Tuesday, August 2023 Edition – Krebs on Security 

Microsoft August 2023 Patch Tuesday warns of 2 zero-days, 87 flaws (bleepingcomputer.com) 

CVE-2023-38180 - Security Update Guide - Microsoft - .NET and Visual Studio Denial of Service Vulnerability 

CVE-2023-36884 - Security Update Guide - Microsoft - Windows Search Remote Code Execution Vulnerability 
Chat With One of Our Experts



Remote Code Execution (RCE) vulnerabilities Zero-Day Vulnerability Flash Notice Microsoft Vulnerability Microsoft Office Microsoft Zero-Day Blog