1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software. The most serious of them is CVE-2023-36884, a remote code execution (RCE) bug in Office and Windows HTML, for which Microsoft did not have a patch for in the previous month's update. The company identified a threat group it is tracking, Storm-0978, as exploiting the flaw in a phishing campaign targeting government and defense organizations in North America and Europe.

Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations. Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022. The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system. Microsoft's July security update contains fixes for a whopping 130 unique vulnerabilities, five of which attackers are already actively exploiting in the wild.

Storm-0978 has conducted phishing operations with lures related to Ukrainian political affairs and targeting military and government bodies primarily in Europe. Based on the post-compromise activity identified by Microsoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later targeted operations.

The actor’s ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from espionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.

3.0 Affected Products

Windows 10, version 21H2 and Windows 10, version 22H2
Windows 10, version 1809, Windows Server 2019
Windows Server 2022
Windows 11, version 21H2
Windows 11, version 22H2
Windows Server 2008 (Monthly Rollup)
Windows Server 2008 R2 (Security-only update)
Windows Server 2008 (Security-only update)
Windows Server 2008 R2 (Monthly Rollup)

4.0 Recommendations
Microsoft recommends the following mitigations to reduce the impact of activity associated with Storm-0978’s operations.

CVE-2023-36884 specific recommendations

  • Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
  • In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office.
  • In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
  • Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. 
    • No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached.
    • Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.

MyCERT encourages users and administrators to review Microsoft’s July 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the following URLs:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References