Hackers Actively Exploit Unpatched Office Zero-Day Flaws in the Wild


Storm-0978, a threat actor, actively targeted European and North American defense and government entities in a phishing campaign.

Exploiting CVE-2023-36884, the campaign used Word documents with Ukrainian World Congress lures to abuse a remote code execution vulnerability.

Recently, the cybersecurity analysts at Microsoft unveiled an unpatched zero-day vulnerability in various Windows and Office products.

It’s been reported that this zero-day flaw has been actively exploited in the wild by the threat actors through malicious Office documents for remote code execution.

Office Zero-Day Flaw Exploited

This zero-day vulnerability allows unauthenticated attackers to exploit it without user interaction, using high-complexity attacks.

Storm-0978 (aka DEV-0978) is a Russian cybercriminal group that is well-known for conducting the following illicit activities:-

  • Opportunistic ransomware
  • Extortion
  • Targeted credential-gathering campaigns
  • Potentially supporting intelligence operations

By distributing trojanized versions of popular software, the Storm-0978 targets the organizations, which results in RomCom (RomCom is the name of their backdoor) installation.

Exploiting it successfully grants attackers get the following abilities:- 

  • Access to sensitive information
  • Disables system protection
  • Denies access

Since the vulnerability is not fixed yet, so, Microsoft assured all its customers that patches will be provided via two mediums:-

  • Monthly release process
  • Out-of-band security update

Apart from this, all the Microsoft 365 Apps users (Versions 2302 and later) are safeguarded against vulnerability exploitation through Office.

Vulnerability Exploited

  • CVE ID: CVE-2023-36884
  • Assigning CNA: Microsoft
  • Description: Office and Windows HTML Remote Code Execution Vulnerability
  • Released: Jul 11, 2023
  • Severity: Critical
  • Impact: Remote Code Execution
  • CVSS: 8.3

Microsoft assures protection against phishing attacks exploiting the bug with Defender for Office and the “Block all Office applications from creating child processes” Attack Surface Reduction Rule until CVE-2023-36884 patches are released.

Storm-0978 conducted targeted phishing operations in Europe, primarily aiming at military and government bodies, utilizing lures connected to Ukrainian political affairs.

While Microsoft’s analysis reveals that Storm-0978 distributes backdoors and collects credentials for subsequent targeted operations, based on identified post-compromise activity.

Ransomware Activity

The ransomware activity of the threat actor is opportunistic and distinct from espionage targets, impacting the telecommunications and finance sectors.

During ransomware intrusions, Storm-0978 obtains credentials by extracting password hashes from the Windows registry’s Security Account Manager (SAM).

Microsoft connects Storm-0978 to Industrial Spy ransomware and crypter, but since July 2023, it has shifted to using Underground ransomware, sharing significant code similarities.

Hackers Actively Exploit Unpatched Office Zero-Day Flaws in the Wild
Storm-0978 ransom note (Source – Microsoft)

The resemblance in code and Storm-0978’s past association with Industrial Spy operations suggests Underground ransomware could be a rebranding of Industrial Spy.

Hackers Actively Exploit Unpatched Office Zero-Day Flaws in the Wild
Underground ransomware .onion site (Source – Microsoft)

Recommendations

Here below we have mentioned all the recommendations offered by Microsoft:-

  • Make sure to enable the “cloud-delivered protection” in Microsoft Defender Antivirus or other AV tool.
  • To make Microsoft Defender for Endpoint block malicious artifacts, ensure to run EDR in block mode.
  • Make sure to enable full automation for Microsoft Defender for Endpoint to swiftly investigate and resolve the breaches, as this will reduce the alert volume dramatically.
  • For advanced defense against evolving threats and polymorphic variants, ensure Microsoft Defender for Office 365.
  • Must use the Block all Office applications from creating child processes.
  • To evade exploitation, organizations without access to these safeguards can employ the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key.



Source link