Storm-0978, a threat actor, actively targeted European and North American defense and government entities in a phishing campaign.
Exploiting CVE-2023-36884, the campaign used Word documents with Ukrainian World Congress lures to abuse a remote code execution vulnerability.
Recently, the cybersecurity analysts at Microsoft unveiled an unpatched zero-day vulnerability in various Windows and Office products.
It’s been reported that this zero-day flaw has been actively exploited in the wild by the threat actors through malicious Office documents for remote code execution.
Office Zero-Day Flaw Exploited
This zero-day vulnerability allows unauthenticated attackers to exploit it without user interaction, using high-complexity attacks.
Storm-0978 (aka DEV-0978) is a Russian cybercriminal group that is well-known for conducting the following illicit activities:-
- Opportunistic ransomware
- Extortion
- Targeted credential-gathering campaigns
- Potentially supporting intelligence operations
By distributing trojanized versions of popular software, the Storm-0978 targets the organizations, which results in RomCom (RomCom is the name of their backdoor) installation.
Exploiting it successfully grants attackers get the following abilities:-
- Access to sensitive information
- Disables system protection
- Denies access
Since the vulnerability is not fixed yet, so, Microsoft assured all its customers that patches will be provided via two mediums:-
- Monthly release process
- Out-of-band security update
Apart from this, all the Microsoft 365 Apps users (Versions 2302 and later) are safeguarded against vulnerability exploitation through Office.
Vulnerability Exploited
- CVE ID: CVE-2023-36884
- Assigning CNA: Microsoft
- Description: Office and Windows HTML Remote Code Execution Vulnerability
- Released: Jul 11, 2023
- Severity: Critical
- Impact: Remote Code Execution
- CVSS: 8.3
Microsoft assures protection against phishing attacks exploiting the bug with Defender for Office and the “Block all Office applications from creating child processes” Attack Surface Reduction Rule until CVE-2023-36884 patches are released.
Storm-0978 conducted targeted phishing operations in Europe, primarily aiming at military and government bodies, utilizing lures connected to Ukrainian political affairs.
While Microsoft’s analysis reveals that Storm-0978 distributes backdoors and collects credentials for subsequent targeted operations, based on identified post-compromise activity.
Ransomware Activity
The ransomware activity of the threat actor is opportunistic and distinct from espionage targets, impacting the telecommunications and finance sectors.
During ransomware intrusions, Storm-0978 obtains credentials by extracting password hashes from the Windows registry’s Security Account Manager (SAM).
Microsoft connects Storm-0978 to Industrial Spy ransomware and crypter, but since July 2023, it has shifted to using Underground ransomware, sharing significant code similarities.
The resemblance in code and Storm-0978’s past association with Industrial Spy operations suggests Underground ransomware could be a rebranding of Industrial Spy.
Recommendations
Here below we have mentioned all the recommendations offered by Microsoft:-
- Make sure to enable the “cloud-delivered protection” in Microsoft Defender Antivirus or other AV tool.
- To make Microsoft Defender for Endpoint block malicious artifacts, ensure to run EDR in block mode.
- Make sure to enable full automation for Microsoft Defender for Endpoint to swiftly investigate and resolve the breaches, as this will reduce the alert volume dramatically.
- For advanced defense against evolving threats and polymorphic variants, ensure Microsoft Defender for Office 365.
- Must use the Block all Office applications from creating child processes.
- To evade exploitation, organizations without access to these safeguards can employ the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key.