Hackers Actively Exploit Unpatched Office Zero-Day Flaw in the Wild

Storm-0978, a threat actor, actively targeted European and North American defense and government entities in a phishing campaign.

Exploiting CVE-2023-36884, the campaign used Word documents with Ukrainian World Congress lures to abuse a remote code execution vulnerability.

Recently, the cybersecurity analysts at Microsoft unveiled an unpatched zero-day vulnerability in various Windows and Office products.

It’s been reported that this zero-day flaw has been actively exploited in the wild by the threat actors through malicious Office documents for remote code execution.

Office Zero-Day Flaw Exploited

This zero-day vulnerability allows unauthenticated attackers to exploit it without user interaction, using high-complexity attacks.

Storm-0978 (aka DEV-0978) is a Russian cybercriminal group that is well-known for conducting the following illicit activities:-

• Opportunistic ransomware
• Extortion
• Targeted credential-gathering campaigns
• Potentially supporting intelligence operations

By distributing trojanized versions of popular software, the Storm-0978 targets the organizations, which results in RomCom (RomCom is the name of their backdoor) installation.

Exploiting it successfully grants attackers get the following abilities:- 

• Access to sensitive information
• Disables system protection
• Denies access

Since the vulnerability is not fixed yet, so, Microsoft assured all its customers that patches will be provided via two mediums:-

• Monthly release process
• Out-of-band security update

Apart from this, all the Microsoft 365 Apps users (Versions 2302 and later) are safeguarded against vulnerability exploitation through Office.

Vulnerability Exploited

• CVE ID: CVE-2023-36884
• Assigning CNA: Microsoft
• Description: Office and Windows HTML Remote Code Execution Vulnerability
• Released: Jul 11, 2023
• Severity: Critical
• Impact: Remote Code Execution
• CVSS: 8.3

Microsoft assures protection against phishing attacks exploiting the bug with Defender for Office and the “Block all Office applications from creating child processes” Attack Surface Reduction Rule until CVE-2023-36884 patches are released.

Storm-0978 conducted targeted phishing operations in Europe, primarily aiming at military and government bodies, utilizing lures connected to Ukrainian political affairs.

While Microsoft’s analysis reveals that Storm-0978 distributes backdoors and collects credentials for subsequent targeted operations, based on identified post-compromise activity.

Ransomware Activity

The ransomware activity of the threat actor is opportunistic and distinct from espionage targets, impacting the telecommunications and finance sectors.

During ransomware intrusions, Storm-0978 obtains credentials by extracting password hashes from the Windows registry’s Security Account Manager (SAM).

Microsoft connects Storm-0978 to Industrial Spy ransomware and crypter, but since July 2023, it has shifted to using Underground ransomware, sharing significant code similarities.

The resemblance in code and Storm-0978’s past association with Industrial Spy operations suggests Underground ransomware could be a rebranding of Industrial Spy.

Recommendations

Here below we have mentioned all the recommendations offered by Microsoft:-

• Make sure to enable the “cloud-delivered protection” in Microsoft Defender Antivirus or other AV tool.
• To make Microsoft Defender for Endpoint block malicious artifacts, ensure to run EDR in block mode.
• Make sure to enable full automation for Microsoft Defender for Endpoint to swiftly investigate and resolve the breaches, as this will reduce the alert volume dramatically.
• For advanced defense against evolving threats and polymorphic variants, ensure Microsoft Defender for Office 365.
• Must use the Block all Office applications from creating child processes.
• To evade exploitation, organizations without access to these safeguards can employ the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key.