IT admins with Microsoft Office in their environments are being urged to take action after a previously unknown vulnerability was discovered being exploited by a Russia-based cybercriminal gang.
The CVE-2023-36884 vulnerability, described as a remote HTML execution vulnerability with specially crafted Microsoft Office documents, was not addressed in patches released by Microsoft yesterday.
An attacker must trick the victim into opening the malicious file. This means that security awareness staff alerts help reduce the risk of compromise.
IT departments using Microsoft Defender for Office are protected from attachments attempting to exploit this vulnerability. Those who do not use it should check with their anti-virus/anti-malware vendor to ensure that these apps have been updated to prevent this exploit. In addition, implementation of the “Prevent all Office applications from creating child attack surfaces for processes” rule prevents exploitation of the vulnerability.
Another way is to set Windows registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION and add Microsoft application names like Excel.exe, Graph.exe, MSAccess.exe to prevent exploitation. Microsoft warns that while this registry setting limits the exploitation of this vulnerability, it could break regular functionality for certain use cases related to these applications.
Microsoft said it may provide an out-of-cycle security update to address this vulnerability.
The company learned about the vulnerability through its own intelligence agencies and security researchers from a phishing campaign by a Russian-based group they call Storm-0978. Others call this group RomCom because it propagates the RomCom backdoor. This attack targeted defense and government organizations in Europe and North America with an interest in Ukraine.
Specifically, phishing emails were sent last month with a subject related to this week’s meeting of NATO leaders in Lithuania. The message was said to be an invitation from the World Congress of Ukraine to attend the summit. Attached to the email was one or more infected documents explaining Congress’ positions for the meeting.
However, the docs contain a fake OneDrive loader to provide a backdoor with similarities to RomCom.
Also, this threat group was observed trying to spread ransomware against an unrelated target by using the same initial payloads.
BlackBerry last week issued a warning about allegedly infected Word documents from the World Congress of Ukraine, but did not explain how they were distributed. The campaign included the creation of a website similar to that of the World Congress of Ukraine. The main difference: the real website ends in .org while the fake website ends in .info.
The execution chain of the malware found by BlackBerry uses CVE-2022-30190, a zero-day vulnerability, also known as Follina, that was patched last year and affects Microsoft’s Support Diagnostic Tool (MSDT). The ultimate goal is to install the RomCom backdoor.
The original article is available on IT World Canada, a sister publication of IT Direction.
French adaptation and translation by Renaud Larue-Langlois.