Sunday, November 17, 2024
HomeCyber Security NewsHackers Actively Exploit Unpatched Office Zero-Day Flaw in the Wild

Hackers Actively Exploit Unpatched Office Zero-Day Flaw in the Wild

Published on

Storm-0978, a threat actor, actively targeted European and North American defense and government entities in a phishing campaign.

Exploiting CVE-2023-36884, the campaign used Word documents with Ukrainian World Congress lures to abuse a remote code execution vulnerability.

Recently, the cybersecurity analysts at Microsoft unveiled an unpatched zero-day vulnerability in various Windows and Office products.

- Advertisement - SIEM as a Service

It’s been reported that this zero-day flaw has been actively exploited in the wild by the threat actors through malicious Office documents for remote code execution.

Office Zero-Day Flaw Exploited

This zero-day vulnerability allows unauthenticated attackers to exploit it without user interaction, using high-complexity attacks.

Storm-0978 (aka DEV-0978) is a Russian cybercriminal group that is well-known for conducting the following illicit activities:-

  • Opportunistic ransomware
  • Extortion
  • Targeted credential-gathering campaigns
  • Potentially supporting intelligence operations

By distributing trojanized versions of popular software, the Storm-0978 targets the organizations, which results in RomCom (RomCom is the name of their backdoor) installation.

Exploiting it successfully grants attackers get the following abilities:- 

  • Access to sensitive information
  • Disables system protection
  • Denies access

Since the vulnerability is not fixed yet, so, Microsoft assured all its customers that patches will be provided via two mediums:-

  • Monthly release process
  • Out-of-band security update

Apart from this, all the Microsoft 365 Apps users (Versions 2302 and later) are safeguarded against vulnerability exploitation through Office.

Vulnerability Exploited

  • CVE ID: CVE-2023-36884
  • Assigning CNA: Microsoft
  • Description: Office and Windows HTML Remote Code Execution Vulnerability
  • Released: Jul 11, 2023
  • Severity: Critical
  • Impact: Remote Code Execution
  • CVSS: 8.3

Microsoft assures protection against phishing attacks exploiting the bug with Defender for Office and the “Block all Office applications from creating child processes” Attack Surface Reduction Rule until CVE-2023-36884 patches are released.

Storm-0978 conducted targeted phishing operations in Europe, primarily aiming at military and government bodies, utilizing lures connected to Ukrainian political affairs.

While Microsoft’s analysis reveals that Storm-0978 distributes backdoors and collects credentials for subsequent targeted operations, based on identified post-compromise activity.

Ransomware Activity

The ransomware activity of the threat actor is opportunistic and distinct from espionage targets, impacting the telecommunications and finance sectors.

During ransomware intrusions, Storm-0978 obtains credentials by extracting password hashes from the Windows registry’s Security Account Manager (SAM).

Microsoft connects Storm-0978 to Industrial Spy ransomware and crypter, but since July 2023, it has shifted to using Underground ransomware, sharing significant code similarities.

Storm-0978 ransom note (Source – Microsoft)

The resemblance in code and Storm-0978’s past association with Industrial Spy operations suggests Underground ransomware could be a rebranding of Industrial Spy.

Underground ransomware .onion site (Source – Microsoft)

Recommendations

Here below we have mentioned all the recommendations offered by Microsoft:-

  • Make sure to enable the “cloud-delivered protection” in Microsoft Defender Antivirus or other AV tool.
  • To make Microsoft Defender for Endpoint block malicious artifacts, ensure to run EDR in block mode.
  • Make sure to enable full automation for Microsoft Defender for Endpoint to swiftly investigate and resolve the breaches, as this will reduce the alert volume dramatically.
  • For advanced defense against evolving threats and polymorphic variants, ensure Microsoft Defender for Office 365.
  • Must use the Block all Office applications from creating child processes.
  • To evade exploitation, organizations without access to these safeguards can employ the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key.
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...