Unpatched Office zero-day exploited in NATO summit attacks


Microsoft disclosed today an unpatched zero-day security bug in multiple Windows and Office products exploited in the wild to gain remote code execution via malicious Office documents.

Unauthenticated attackers can exploit the vulnerability (tracked as CVE-2023-36884) in high-complexity attacks without requiring user interaction.

Successful exploitation could lead to a total loss of confidentiality, availability, and integrity, allowing the attackers to access sensitive information, turn off system protection, and deny access to the compromised system.

“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents,” Redmond said today.

“An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”

While the flaw is not yet addressed, Microsoft says it will provide customers with patches via the monthly release process or an out-of-band security update.

Until CVE-2023-36884 patches are available, Microsoft says customers using Defender for Office and those who have enabled the “Block all Office applications from creating child processes” Attack Surface Reduction Rule are protected against phishing attacks attempting to exploit the bug.

Those not using these protections can add the following application names to the HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftInternet ExplorerMainFeatureControlFEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1:

  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • PowerPoint.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe
  • Wordpad.exe

Exploited in attacks targeting NATO Summit attendees

In a separate blog post, the company says the CVE-2023-36884 bug was exploited in recent attacks targeting organizations attending the NATO Summit in Vilnius, Lithuania.

As documented in reports published by Ukraine’s Computer Emergency Response Team (CERT-UA) and researchers with BlackBerry’s intelligence team, the attackers used malicious documents impersonating the Ukrainian World Congress organization to install malware payloads, including the MagicSpell loader and the RomCom backdoor.

“If successfully exploited, it allows an attacker to conduct a remote code execution (RCE)-based attack via the crafting of a malicious .docx or .rtf document designed to exploit the vulnerability,” BlackBerry security researchers said.

“This is achieved by leveraging the specially crafted document to execute a vulnerable version of MSDT, which in turn allows an attacker to pass a command to the utility for execution.”

RomCom is a Russian-based cybercriminal group (also tracked as Storm-0978) known for engaging in ransomware and extortion attacks alongside campaigns focused on stealing credentials, likely aimed at supporting intelligence operations, according to Redmond.

“The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom,” Microsoft said on Tuesday.



Source link