Blog

The CVE-2023-36884: Office RCE vulnerability actively exploited via phishing is a hot topic. How much do you know?

Remote Code Execution (RCE) vulnerabilities pose an exceptionally severe risk to network security, granting attackers the ability to strike virtually anywhere. These vulnerabilities can be exploited through publicly exposed networks like web servers, database servers, or remote desktop services such as RDP. Moreover, malicious actors may also leverage phishing attacks by using poisoned documents containing embedded malicious commands or by directing users to visit sites designed to attack their browsers or deceive them into disclosing sensitive credentials.

When reliable sources of cyber-threat intelligence such as the CISA Known Exploited Vulnerabilities Catalog identify a particular vulnerability as being actively exploited in the wild it is especially crucial for businesses to promptly address and patch such vulnerabilities to safeguard their networks and sensitive data from potential harm.

Most recently, CVE-2023-36884, a remote code execution (RCE) vulnerability was identified as being actively exploited. Organizations must take immediate action to mitigate their attack surface with workarounds and apply official patches from Microsoft when they become available. The vulnerability exemplifies a case where advanced cybersecurity solutions such as EDR can offer proactive protection against zero-day vulnerabilities.

Let's dive deeper into CVE-2023-36884:

The CVE-2023-36884 Attack Chain

Attacks leveraging CVE-2023-36884 were first observed by BlackBerry on July 8, 2023, although at first, the exact exploit chain was not fully diagnosed. Blackberry observed a spear-phishing email campaign mimicking the Ukrainian World Congress was leveraging a fake OneDrive loader to distribute a backdoor that resembled RomCom.

Microsoft has since identified that the attacks were exploiting CVE-2023-36884 RCE vulnerability in Microsoft Office applications with an especially severe CVSS base score of 8.8 to distribute the RomCom backdoor through pirated versions of Adobe products and Signal outfitted with malware. The attacks were also found to exploit additional vulnerabilities, including Follina (CVE-2022-30190), another severe RCE vulnerability in Microsoft Office identified about a year ago in June 2022. The phishing attacks spoof domain names that mimic legitimate software products to trick users into downloading and executing the malicious software. The attacks have been attributed to the Storm-0978 threat actor.

After gaining initial access via the Trojanized applications, the attack modifies the Windows registry to extract password hashes from the Security Account Manager (SAM). The credentials are then used for lateral movement via the SMBExec and WMIExec toolkits of the Impacket attack tool. Impacket is an open-source Python library that provides low-level programmatic access to various Windows network protocols.

The attacks are ultimately financially motivated with the end goal of infecting the victim with ransomware.  The Industrial Spy, Underground, and Trigona ransomware variants were deployed against victims in the attacks.

What is Storm-0978?

Storm-0978, (also known as DEV-0978 or RomCom), is a cybercriminal group originating from Russia. Storm-0978 engages in various cyber activities, including opportunistic ransomware attacks and extortion schemes. Additionally, they conduct targeted phishing campaigns to collect credentials, likely to support intelligence operations. The group is responsible for developing and distributing a backdoor Trojan using the name “RomCom”.

The main focus of Storm-0978's targeted operations has been on government and military organizations in Ukraine. However, they have also targeted organizations in Europe and North America, particularly those with potential involvement in Ukrainian affairs. Their ransomware attacks have impacted various industries, including telecommunications and finance.

Mitigation Steps For CVE-2023-36884

Firstly, Microsoft reports that customers with active installations of Microsoft Defender for Office are already protected from documents that attempt to exploit CVE-2023-36884. 

To otherwise enhance system security, modify the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key by adding the following Microsoft application names: Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPoint.exe, Visio.exe, WinProj.exe, WinWord.exe, and Wordpad.exe. Although a full system reboot is not required, all Office applications should be restarted to enable the registry key. 

The full path to this key is:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION.

Finally, Microsoft has noted configuring EDR solutions to prevent Microsoft Office applications from creating child processes as an effective workaround until a full patch is released. 

Conclusion

The CVE-2023-36884 vulnerability in Microsoft Office applications has been actively exploited by the cybercriminal group Storm-0978 in a recent phishing campaign that entices victims with Trojanized Adobe and Signal software applications. Once in the system, the attackers extract password hashes to achieve lateral movement using the Impacket attack tool and deploy various ransomware variants.

The threat actor attributed to the attacks, Storm-0978, primarily targets the Ukrainian government military organizations and large organizations in Europe and North America. All organizations must ensure they are sufficiently protected by checking their Microsoft Defender For Office configuration or using the workaround methods to defend themselves.

Looking to further bolster your organization's security posture against threats like CVE-2023-36884? Reach out to our team for your free, zero-obligation quote.