CTI Flash Briefing: Unpatched Office zero-day already being exploited in the wild
Breakdown
Microsoft released the July 2023 monthly security patches, and included in that release is information on an unpatched remote code execution(RCE) vulnerability affecting multiple Office and Windows products. Microsoft is planning to patch via the monthly release process or as an out-of-band security release but only mitigation steps are available now for affected organizations. So far the attacks they have detected have been targeted at defense and government entities in Europe and North America. Due to the majority of organizations worldwide using MS Windows and Office, please review and enable the mitigation steps provided below directly from Microsoft.
Overview
The RCE vulnerability is being tracked as CVE-2023–36884. This is an unauthenticated RCE using specifically crafted MS Office documents, sent to a victim to open and then the system is compromised.
The Zero Day Initiative team’s monthly review on patches describes it as:
Of the five active attacks receiving patches today, this is arguably the most severe. Microsoft states they are aware of targeted exploits using this bug in specially crafted Office documents to get code execution on targeted systems. For now, the keyword there is “targeted”. However, Microsoft has taken the odd action of releasing this CVE without a patch. That’s still to come. Their Threat Intelligence team has released this blog with some guidance. Oh, and Microsoft lists this as “Important”. I recommend treating it as Critical.
Per the BleepingComputer blog post on this research:
As documented in reports published by Ukraine’s Computer Emergency Response Team (CERT-UA) and researchers with BlackBerry’s intelligence team, the attackers used malicious documents impersonating the Ukrainian World Congress organization to install malware payloads, including the MagicSpell loader and the RomCom backdoor.
“If successfully exploited, it allows an attacker to conduct a remote code execution (RCE)-based attack via the crafting of a malicious .docx or .rtf document designed to exploit the vulnerability,” BlackBerry security researchers said.
“This is achieved by leveraging the specially crafted document to execute a vulnerable version of MSDT, which in turn allows an attacker to pass a command to the utility for execution.”
Microsoft, in a blog post separate from the original CVE posting, released a wealth of details on the group they are now calling Storm-0978 or RomCom, which is the name of their popular backdoor software. This is a criminal group based somewhere in Russia that typically runs opportunistic extorsion and ransomware operations. Microsoft identified a phishing campaign using CVE-2023–36884 in crafted Word documents and tied it to the same threat actor group.
Recommendation
The two general mitigation measures suggested at this point are based on your organization’s usage of Microsoft Defender or not as it already has protections built in for this activity and you only need to verify a rule is enabled.
Per BleepingComputer:
Until CVE-2023–36884 patches are available, Microsoft says customers using Defender for Office and those who have enabled the “Block all Office applications from creating child processes” Attack Surface Reduction Rule are protected against phishing attacks attempting to exploit the bug.
Those not using these protections can add the following application names to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1:
Excel.exe
Graph.exe
MSAccess.exe
MSPub.exe
PowerPoint.exe
Visio.exe
WinProj.exe
WinWord.exe
Wordpad.exe
Microsoft has provided an extensive and detailed list of mitigations in their article on Storm-0978’s activity. Their mitigations are broken down in a general recommendations section, a section specific to CVE-2023–36884 recommendations based on, as above, whether you are using their security software or not, and a list of possible detections to use for threat hunting in your environment. Please see their post as this is too long to easily share in this format.
Conclusion
To our current SOC partnerships, please reach out to our SOC team to learn more about the best steps in researching your exposure to this threat. If you have any questions on this on-going event or need any level of security assistance, please reach out to Hunter Strategy and we will be happy to discuss next steps in securing your IT systems!
Contact Us
contact@hunterstrategy.net
