Saturday, June 22, 2024

Hackers Actively Exploit Unpatched Office Zero-Day Flaw in the Wild

Storm-0978, a threat actor, actively targeted European and North American defense and government entities in a phishing campaign.

Exploiting CVE-2023-36884, the campaign used Word documents with Ukrainian World Congress lures to abuse a remote code execution vulnerability.

Recently, the cybersecurity analysts at Microsoft unveiled an unpatched zero-day vulnerability in various Windows and Office products.

It’s been reported that this zero-day flaw has been actively exploited in the wild by the threat actors through malicious Office documents for remote code execution.

Office Zero-Day Flaw Exploited

This zero-day vulnerability allows unauthenticated attackers to exploit it without user interaction, using high-complexity attacks.

Storm-0978 (aka DEV-0978) is a Russian cybercriminal group that is well-known for conducting the following illicit activities:-

  • Opportunistic ransomware
  • Extortion
  • Targeted credential-gathering campaigns
  • Potentially supporting intelligence operations

By distributing trojanized versions of popular software, the Storm-0978 targets the organizations, which results in RomCom (RomCom is the name of their backdoor) installation.

Exploiting it successfully grants attackers get the following abilities:- 

  • Access to sensitive information
  • Disables system protection
  • Denies access

Since the vulnerability is not fixed yet, so, Microsoft assured all its customers that patches will be provided via two mediums:-

  • Monthly release process
  • Out-of-band security update

Apart from this, all the Microsoft 365 Apps usersĀ (Versions 2302 and later) are safeguarded against vulnerability exploitation through Office.

Vulnerability Exploited

  • CVE ID: CVE-2023-36884
  • Assigning CNA: Microsoft
  • Description: Office and Windows HTML Remote Code Execution Vulnerability
  • Released: Jul 11, 2023
  • Severity: Critical
  • Impact: Remote Code Execution
  • CVSS: 8.3

Microsoft assures protection against phishing attacks exploiting the bug with Defender for Office and the “Block all Office applications from creating child processes” Attack Surface Reduction Rule until CVE-2023-36884 patches are released.

Storm-0978 conducted targeted phishing operations in Europe, primarily aiming at military and government bodies, utilizing lures connected to Ukrainian political affairs.

While Microsoft’s analysis reveals that Storm-0978 distributes backdoors and collects credentials for subsequent targeted operations, based on identified post-compromise activity.

Ransomware Activity

The ransomware activity of the threat actor is opportunistic and distinct from espionage targets, impacting the telecommunications and finance sectors.

During ransomware intrusions, Storm-0978 obtains credentials by extracting password hashes from the Windows registry’s Security Account Manager (SAM).

Microsoft connects Storm-0978 to Industrial Spy ransomware and crypter, but since July 2023, it has shifted to using Underground ransomware, sharing significant code similarities.

Storm-0978 ransom note (Source – Microsoft)

The resemblance in code and Storm-0978’s past association with Industrial Spy operations suggests Underground ransomware could be a rebranding of Industrial Spy.

Underground ransomware .onion site (Source – Microsoft)


Here below we have mentioned all the recommendations offered by Microsoft:-

  • Make sure to enable the “cloud-delivered protection” in Microsoft Defender Antivirus or other AV tool.
  • To make Microsoft Defender for Endpoint block malicious artifacts, ensure to run EDR in block mode.
  • Make sure to enable full automation for Microsoft Defender for Endpoint to swiftly investigate and resolve the breaches, as this will reduce the alert volume dramatically.
  • For advanced defense against evolving threats and polymorphic variants, ensure Microsoft Defender for Office 365.
  • Must use the Block all Office applications from creating child processes.
  • To evade exploitation, organizations without access to these safeguards can employ the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key.

Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles