Microsoft is warning of an unpatched Office zero-day vulnerability that is being targeted by a Russian-based threat actor in phishing emails with the aim of delivering a backdoor on victim systems.
No patches are available yet for the Office and Windows HTML remote code execution flaw (CVE-2023-36884) at the center of the attack, said Microsoft. The company said it is investigating “reports of a series of remote code execution vulnerabilities impacting Windows and Office products” and is aware of “targeted attacks” attempting to exploit these bugs.
“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers,” according to Microsoft in an advisory that was published as part of its regularly scheduled July security updates, which also includes four other vulnerabilities under active attack. “This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”
Microsoft refers to the threat actor in this campaign as Storm-0978 (also known as DEV-0978), with “Storm” being part of the company’s new designation for a new or emerging threat group. The cybercriminal group has previously launched ransomware, extortion and credential-stealing attacks, and has been tied to both the RomCom backdoor and the Underground ransomware.
In its latest campaign in June, the group was observed sending phishing emails to defense and government entities in Europe and North America, which used typosquatting to impersonate the Ukrainian World Congress, a nonprofit that includes member organizations across dozens of countries. The phishing emails purported to include invitations for the North Atlantic Treaty Organization (NATO) Summit, which takes place later in July. In reality, the messages contained a fake OneDrive loader that delivered a backdoor with similarities to the RomCom backdoor, said researchers.
“Additionally, based on attributed phishing activity, Storm-0978 has acquired exploits targeting zero-day vulnerabilities,” said Microsoft in a Tuesday advisory on the attacks. “Identified exploit activity includes abuse of CVE-2023-36884, including a zero-day remote code execution vulnerability exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities contributing to a security feature bypass.”
Microsoft’s analysis fills in the blanks of a phishing campaign that has been observed by security researchers over the past weeks, including by the BlackBerry research team, which observed an instance of the campaign that exploited the known Follina flaw in Microsoft’s Support Diagnostic Tool (CVE-2022-30190). In its analysis, BlackBerry researchers said that based on the lures used in the campaign, they believe the victims are representatives of Ukraine or foreign organizations and individuals supporting Ukraine, and the operation involves malware with similarities to RomCom, including a similar string encryption algorithm. RomCom has been used in geopolitically motivated hacks since at least 2022, according to Trend Micro researchers, including in attacks that target organizations in Ukraine’s energy and water utility sectors. The backdoor has a number of capabilities, including the ability to gather credentials.
While no patches currently exist for CVE-2023-36884, Microsoft offered up a number of mitigations for impacted organizations. The company said that the use of an Attack Surface Reduction Rule (Block all Office applications from creating child processes), which helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS), will prevent the vulnerability from being exploited in current attack chains. Organizations can also set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation, though this may impact the functionality for certain use cases of related applications.
Though the flaw is listed as “important severity,” Dustin Childs with Trend Micro’s Zero Day Initiative said he recommends treating it as critical.
“Microsoft states they are aware of targeted exploits using this bug in specially crafted Office documents to get code execution on targeted systems,” said Childs on Tuesday. “For now, the keyword there is ‘targeted.’ However, Microsoft has taken the odd action of releasing this CVE without a patch. That’s still to come.”