IT administrators with Microsoft Office in their environments are being urged to take action after the discovery of a previously unknown vulnerability being leveraged by a Russian-based cyber-criminal group.
The vulnerability, CVE-2023-36884, described as an HTML remote code execution vulnerability involving specially-crafted Microsoft Office documents, wasn’t patched yesterday in the Patch Tuesday fixes that Microsoft released.
An attacker would have to convince the victim to open the malicious file, meaning security awareness warnings for employees will help reduce the odds of compromise.
IT departments that use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability. Those that don’t should check with their anti-virus/anti-malware providers to see if those applications have been updated to prevent exploitation. In addition, setting the Block all Office applications from creating child processes Attack Surface Reduction Rule will prevent the vulnerability from being exploited.
Another option is to set the Windows FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key, adding the names of Microsoft applications such as Excel.exe, Graph.exe, MSAccess.exe to avoid exploitation. Microsoft cautions that while these registry settings would mitigate exploitation of this issue, they could affect regular functionality for certain use cases related to these applications.
Microsoft said it might provide an out-of-cycle security update to fix this hole.
It became aware of the vulnerability through its own intelligence, and from security researchers of a phishing campaign by a Russian-based group it dubs Storm-0978. Others call this group RomCom because it distributes the RomCom backdoor. The targets of this attack were defense and government organizations in Europe and North America with an interest in Ukraine.
Specifically, last month, phishing lures were sent with a subject line relating to this week’s meeting of NATO heads of state in Lithuania. The message pretended to be an invitation from the Ukrainian World Congress to attend the summit. Attached to the email was an infected document or documents explaining the Congress’ positions for the meeting.
However, the documents include a fake OneDrive loader to deliver a backdoor with similarities to RomCom.
Separately, this threat group was seen trying to deliver ransomware against an unrelated target using the same initial payloads.
Last week, BlackBerry issued a warning about infected Word documents allegedly from the Ukrainian World Congress, although it didn’t explain how they were being distributed. The campaign involved creation of a look-alike Ukrainian World Congress website. The key difference: The real website ends in .org, while the fake website ends in .info.
The execution chain in the malware found by BlackBerry uses CVE-2022-30190, a zero-day vulnerability also called Follina that was patched last year, which affects Microsoft’s Support Diagnostic Tool (MSDT). The ultimate goal is the installation of the RomCom backdoor.