A zero-day vulnerability in Microsoft was found being exploited for cyber espionage.
CVE-2023-36884 was marked as important for its severity as it could result in remote code execution. The exploitation of the Microsoft zero-day vulnerability was done by the cybercriminal group, Storm-0978.
Details about the exploitation of the Microsoft zero-day vulnerability
CVE-2023-36884 was exploited by Storm-0978 using phishing websites that were designed to replicate authentic software installers, a Cyble blog noted. Storm-0978 aimed to access data belonging to the Ukrainian government and military organizations.
The phishing email with the Office document enabled remote code execution. However, for the exploit to work, users were required to open the office document without which it would not take effect. The lures were crafted around the Ukraine World Congress.
The above sample of the MS Word document was circulated among targets. It was written to align with the NATO Summit.
Hackers used a malware called RomCom to steal login credentials of accounts of individuals from the Ukrainian Ministry of Defense.
They leveraged the account access to send phishing emails with infected PDF attachments to defense and government entities in Europe and North America.
The Microsoft zero-day vulnerability has been exploited on unpatched systems since June 2023. Microsoft announced that they were monitoring the campaign exploiting the zero-day vulnerability since late 2022.
RomCom, Microsoft zero-day vulnerability and Russia
CVE-2023-36884 allowed adding of a backdoor to the command and control server of the hackers operating from Russia. The hackers also used the ransomware called, ‘Underground Ransomware,’  which has been linked to Industrial Spy Ransomware.
Storm-0978 has used phishing sites that spoofed authentic websites for Adobe products, SolarWinds Network Performance Monitor, Signal, and Advanced IP Scanner among others. They have committed crimes including ransomware and extortion operations.
What Microsoft said about the zero-day vulnerability
Microsoft learned about the espionage mail activity in June 2023 through customer reports.
Following investigations, it was learned that the exploitation of the vulnerability led to the compromise of nearly 25 organizations.
The hackers gained access to the email accounts of individuals likely from the 25 government organizations using forged authentication tokens through a Microsoft account.
The July Patch Tuesday, addressed the Microsoft zero-day vulnerability which is an Office and Windows HTML remote code execution flaw.
Mitigation and cybersecurity measures to take to prevent similar threats
To maintain caution against having the Microsoft zero-day vulnerability exploitation, users are urged to restrict all Office apps from generating child processes. For those who cannot use this option can configure the registry key – FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION.
To avoid falling prey to similar phishing campaigns, it is essential to make system setting changes to prevent exposing one’s system. Cyble noted the following steps for users –
- Mark executables to be blocked if it does not meet criterion like age, trusted list, etc.
- Keep backups and maintain offline backups likely on a different network.
- Make sure automatic software updates are set. Regularly check for updates for those that do not automatically install.
- Maintain anti-phishing tools and have employees know about common and recent phishing campaigns.
- In case of detecting a ransomware attack, inspect system logs and disconnect external storage systems.
