The zero-day vulnerability – hackers rarely found it easier to reach their goal

The zero-day vulnerability – hackers rarely found it easier to reach their goal

San Francisco, 7/17/2023

An unpatched zero-day vulnerability ( CVE-2023-36884) targets those interested in Ukraine.
Microsoft is aware of this vulnerability. It is also known to become active during remote code execution. The attackers use specially designed Microsoft Office documents as malicious files. If opened, the attackers could take over remote code execution.

Microsoft sees the origin in a phishing campaign by the hacker group „Storm-0978“. She focused on defense and government agencies in Europe and North America. To do this, she used a bait related to the Ukrainian World Congress.

Another variant used a fake OneDrive loader that has similarities to RomCom – a primary backdoor tool. – had.

Part of this hacking group focused on distributing trojanized versions of popular software. specialized.
Popular tools used for these installations include trojanized versions of Solarwinds Network Performance Monitor, KeePass, Signal, and Adobe products. Bogus domains that mimic the real domain are registered and used as a convincing disguise for the infected software.

Microsoft points out that this group is also involved in ransomware attacks, but these are less targeted and unrelated to espionage operations. Attacks identified as belonging to Storm-0978 in this area impacted the financial and telecom industries.

Microsoft offers the following advice for organizations concerned about the potential risk of compromise from recent attacks:

CVE-2023-36884 specific recommendations

Customers using Microsoft Defender for Office 365 are protected from attachments attempting to exploit CVE-2023-36884.
In current attack chains, using the attack surface reduction rule for all Office applications prevents the creation of child processes.

Organizations that cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to prevent exploitation. Please note that while these registry settings would limit exploitation of this issue, they could break regular functionality for certain use cases related to these applications.

You might also consider blocking outbound SMB traffic.

We don’t just report vulnerabilities – we identify them and prioritize actions.

Cybersecurity risks should never go beyond a headline. Keep an eye on vulnerabilities using Malwarebytes Vulnerability and Patch Management.