For July 2023 Patch Tuesday, Microsoft has delivered 130 patches; among them are four for vulnerabilites actively exploited by attackers, but no patch for CVE-2023-36884, an Office and Windows HTML RCE vulnerability exploited in targeted attacks aimed at defense and government entities in Europe and North America.
About CVE-2023-36884
“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents,” the company said in the advisory for that particular CVE-numbered vulnerability.
Reported by Microsoft, Google Threat Analysis Group, and Volexity researchers, CVE-2023-36884 has been abused via booby-trapped Microsoft Word documents ostensibly related to the Ukrainian World Congress.
“Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations,” Microsoft Threat Intelligence has shared.
“Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022. The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.”
Previously, BlackBerry researchers shared their discovery of two malicious documents that seem to have been used by RomCom in those same campaigns.
The good news (for end and enterprise users) is that the attacks are highly targeted. The bad news is that Microsoft has yet to deliver patches for this issue.
Dustin Childs, head of threat awareness at Trend Micro Inc.’s Zero Day Initiative, says that though Microsoft considers this issue “Important”, admins would to well to treat it as “Critical”. Microsoft has advised on mitigations to reduce the risk of exploitation until the fixes are ready.
“Identified exploit activity includes abuse of CVE-2023-36884, including a remote code execution vulnerability exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities contributing to a security feature bypass,” Microsoft Threat Intelligence has noted.
(Might one of the security feature bypass vulnerabilities they are talking about be CVE-2023-32049, patches for which have been released today? Microsoft does not say.)
Other exploited vulnerabilities
CVE-2023-32049 is a vulnerability that allows attackers to bypass the Open File – Security Warning prompt. Flagged by Microsoft Threat Intelligence and the Microsoft Office Product Group security team, it requires user interaction to be exploited.
But it is being exploited, and patching it should be a priority.
Microsoft has also patched:
- CVE-2023-35311, a vulnerability that is being used to bypass the Microsoft Outlook Security Notice prompt
- CVE-2023-36874, an elevation of privilege (EoP) flaw in the Windows Error Reporting Service, exploited to gain administrator privileges (exploitation reported by Google TAG researchers)
- CVE-2023-32046, an EoP vulnerability in the Windows MSHTML Platform that allowed attackers to gain the rights of the user that is running the affected application
Removing malicious signed drivers
“Microsoft also issued guidance regarding the malicious use of signed drivers through its Microsoft Windows Hardware Developer Program (MWHDP),” noted Satnam Narang, senior staff research engineer at Tenable.
“It was determined that certain Microsoft Partner Center developer accounts submitted malicious drivers to gain a Microsoft signature. The abuse of these signed drivers was discovered as part of post-exploitation activity, which required an attacker to gain administrative privileges on the targeted system first before running the malicious signed drivers.”
Microsoft says they launched an investigation in the matter when they were notified of this activity by Sophos on February 9, 2023, and that Trend Micro and Cisco released reports containing additional details.
“All the developer accounts involved in this incident were immediately suspended,” the company added.
“Offline scans will be required to detect malicious drivers which might have been installed prior to March 2, 2023, when new Microsoft detections were implemented.”
The signed drivers seem to have been used in attacks targeting online gamers in China.