{"id":15957,"date":"2023-07-17T17:11:08","date_gmt":"2023-07-17T17:11:08","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=15957"},"modified":"2024-05-31T01:07:54","modified_gmt":"2024-05-31T01:07:54","slug":"microsoft-cve-2023-36884-vulnerability","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/microsoft-cve-2023-36884-vulnerability\/","title":{"rendered":"Microsoft CVE-2023-36884 Vulnerability Exploited in the Wild"},"content":{"rendered":"

On July 11, 2023, Microsoft published an article about addressing the CVE-2023-36884 vulnerability. This breach allowed for remote code execution<\/strong> in Office and Windows HTML. Microsoft has acknowledged a targeted attack that exploits a vulnerability using specifically designed Microsoft Office documents<\/strong>. The attacker can gain control of a victim’s computer by creating a malicious Office document, but the victim must participate by opening it.<\/p>\n

Microsoft discovered a phishing campaign<\/strong> conducted by a Threat Actor named Storm-0978. The targets were government and defense entities in Europe and North America. The Threat Actor used lures related to the Ukraine World Congress<\/strong> and exploited the vulnerability known as CVE-2023-36884<\/a>.<\/p>\n

Who is Storm-0978?<\/h2>\n

The cybercriminal group known as Storm-0978, based in Russia, is infamous for engaging in various illegal activities<\/strong>. These activities include conducting ransomware<\/a> and extortion operations, targeted campaigns to collect credentials, developing and distributing the RomCom backdoor, and deploying the Underground Ransomware<\/strong>.<\/p>\n

\"Who
Overall RomCom architecture
<\/figcaption><\/figure>\n

Underground ransomware is associated with Industrial Spy Ransomware<\/strong>, detected in the wild in May 2022. Microsoft identified a recent campaign in June 2023 that exploited CVE-2023-36884 to distribute a RomCom-like backdoor. This was done by a group known as Storm-0978, who use a phishing site masquerading as legitimate software<\/strong> to infect users. The impersonated products include Adobe products, SolarWinds Network Performance Monitor, SolarWinds Orion, Advanced IP Scanner, KeePass, and Signal. Users unwittingly download and execute files that result in the infection<\/strong> of the RomCom backdoor by visiting these phishing sites.<\/p>\n

CVE-2023-36884 Exploitation<\/h2>\n

Storm-0978 conducted a phishing campaign in June 2023, using a fake OneDrive loader to deliver a backdoor<\/a> similar to RomCom. The phishing emails targeted defense and government entities in Europe and North America<\/strong>, with lures related to the Ukrainian World Congress, and led to exploitation via CVE-2023-36884 vulnerability.<\/p>\n

\"CVE-2023-36884
Storm-0978 email operates NATO themes and the Ukrainian World Congress<\/figcaption><\/figure>\n

During a phishing attempt, Microsoft detected that Storm-0978 used an exploit to target CVE-2023-36884.<\/p>\n

BlackBerry documented the attacks on guests for the upcoming NATO<\/strong> Summit on July 8, but the use of the zero-day in the attacks<\/a> was unknown at the time.<\/p>\n

The attackers used the RomCom variant for espionage<\/strong>, and Underground Ransomware was deployed for ransomware operations. The campaign indicates that Storm-0978 is a highly sophisticated group that seems to be also targeting multiple organizations in the future<\/strong>.<\/p>\n

How do you avoid vulnerability?<\/h2>\n

Organizations should adopt all possible mitigation strategies<\/strong> until a patch is released. The vulnerability has been used in targeted attacks, and news of its existence will doubtlessly lead other attackers to attempt to replicate the exploit<\/a>.<\/p>\n

Microsoft offers performing the registry trick<\/strong> in order to prevent exploitation. In Regedit, go by the following path and find there FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION<\/em> key.<\/p>\n

Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\<\/code><\/p>\n

There, create REG_DWORD values with data 1 with the names of exploitable applications:<\/p>\n

\n
\n