1.0 Introduction
Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software. The most serious of them is CVE-2023-36884, a remote code execution (RCE) bug in Office and Windows HTML, for which Microsoft did not have a patch for in the previous month's update. The company identified a threat group it is tracking, Storm-0978, as exploiting the flaw in a phishing campaign targeting government and defense organizations in North America and Europe.
Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations. Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022. The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.
2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system. Microsoft's July security update contains fixes for a whopping 130 unique vulnerabilities, five of which attackers are already actively exploiting in the wild.
Storm-0978 has conducted phishing operations with lures related to Ukrainian political affairs and targeting military and government bodies primarily in Europe. Based on the post-compromise activity identified by Microsoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later targeted operations.
The actor’s ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from espionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.
3.0 Affected Products
| Windows 10, version 21H2 and Windows 10, version 22H2 |
| Windows 10, version 1809, Windows Server 2019 |
| Windows Server 2022 |
| Windows 11, version 21H2 |
| Windows 11, version 22H2 |
| Windows Server 2008 (Monthly Rollup) |
| Windows Server 2008 R2 (Security-only update) |
| Windows Server 2008 (Security-only update) |
| Windows Server 2008 R2 (Monthly Rollup) |
4.0 Recommendations
Microsoft recommends the following mitigations to reduce the impact of activity associated with Storm-0978’s operations.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
- Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
- Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
- Use Microsoft Defender for Office 365?for enhanced phishing protection and coverage against new threats and polymorphic variants.?Defender for Office 365 customers should ensure that Safe Attachments and Safe Links protection?is enabled for users with ?Zero-hour Auto Purge (ZAP)?to remove emails when a URL gets weaponized post-delivery.
- Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
- Block process creations originating from PsExec and WMI commands – Some organizations might experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI, including Impacket’s WMIexec.
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Use advanced protection against ransomware
- Block all Office applications from creating child processes
CVE-2023-36884 specific recommendations
- Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
- In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office.
- In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
- Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.
- No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached.
- Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.
MyCERT encourages users and administrators to review Microsoft’s July 2023 Security Update Guide and Deployment Information and apply the necessary updates.
Kindly refer to the following URLs:
- https://msrc.microsoft.com/update-guide/releaseNote/2023-Jul
- https://msrc.microsoft.com/update-guide/deployments
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References