Microsoft Zero Day Vulnerability CVE-2023-36884 Being Actively Exploited

Storm-0978 Group Deploys RomCom Variant and Underground Ransomware in Targeted Attacks

 

On July 11, 2023, Microsoft unveiled its latest Patch Tuesday, comprising 132 vulnerabilities, with six being actively exploited and thirty-seven categorized as Remote Code Execution (RCE) vulnerabilities. Additionally, Microsoft has published a dedicated article addressing CVE-2023-36884, an Office and Windows HTML Remote Code Execution Vulnerability. Microsoft is aware of this targeted attack that attempts to exploit this vulnerability using specially crafted Microsoft Office documents. The specially crafted Office document enables the attacker to perform remote code execution. However, for the exploit to be successful, the attacker must persuade the victims to open the malicious Office document.

Microsoft detected a phishing campaign carried out by a Threat Actor (TA) known as Storm-0978. The campaign specifically targeted defense and government entities in Europe and North America. To carry out the attack, the TA employed lures related to the Ukraine World Congress and exploited the vulnerability identified as CVE-2023-36884.

The cybercriminal group Storm-0978, operating from Russia, is notorious for engaging in various illegal activities. These activities include conducting ransomware and extortion operations and targeted campaigns to gather credentials. This group is also known for developing and distributing the RomCom backdoor and deploying Underground Ransomware.

Underground ransomware is connected significantly to Industrial Spy Ransomware, detected in the wild in May 2022. Additionally, Microsoft has reported that a recent campaign identified in June 2023 utilized the exploitation of CVE-2023-36884 to distribute a backdoor that shares similarities with RomCom.

This Storm-0978 group uses a phishing site masquerading as a well-known legitimate software for initial infection. The impersonated products include Adobe products, SolarWinds Network Performance Monitor, SolarWinds Orion, Advanced IP Scanner, KeePass, and Signal. By visiting these phishing sites, users unknowingly download and execute files that result in the infection of the RomCom backdoor.

Cyber Espionage

 

Microsoft has identified a series of campaigns known as Storm-0978, which have been active since late 2022. These operations have exhibited post-compromise activities and have targeted specific entities, indicating a high likelihood of espionage-related motives behind them.

In October 2022, Storm-0978 initiated a series of phishing campaigns by establishing fraudulent websites that resembled authentic software installers. The primary targets of these campaigns were individuals associated with the Ukrainian government and military organizations. The objective behind these activities was to distribute the RomCom malware and potentially acquire the login credentials of important individuals.

In December 2022, according to CERT-UA, Storm-0978 gained unauthorized access to an email account that belongs to the Ukrainian Ministry of Defense. Using this compromised account, the threat actor proceeded to send phishing emails. These deceptive emails included PDF attachments that served as lures, enticing recipients to click on links leading to a website controlled by the malicious actor. The website hosted malware designed to steal sensitive information from the victims’ devices.

A deceptive phishing campaign, attributed to Storm-0978, was executed in June 2023, focusing on defense and government entities in Europe and North America. The campaign employed a disguised OneDrive loader to distribute a backdoor resembling the RomCom malware. The below figure shows the spam email used by Storm-0978 to exploit the vulnerability CVE-2023-36884.

 

The figure below displays the MS Word document utilized as bait throughout the campaign, specifically designed to align with the NATO Summit.

 

Ransomware Activities

 

In documented instances of ransomware infiltrations, Storm-0978 has gained access to credentials by extracting password hashes from the Security Account Manager (SAM) through the Windows registry. Subsequently, Storm-0978 has employed the SMBExec and WMIExec functionalities of the Impacket framework for lateral movement within the compromised systems.

Microsoft has linked Storm-0978 to previous management of the Industrial Spy ransomware market and crypter. However, as early as July 2023, Storm-0978 adopted a ransomware variant named Underground, which exhibits significant code similarities with the Industrial Spy ransomware.

Cyble Research and Intelligence Labs (CRIL) recently published a blog post about the newly identified underground ransomware variant involved in the ongoing Storm-0978 campaign.

The figure below shows the Underground Team ransomware login panel, which appears upon accessing the Onion URL mentioned in the ransom note.

 

Conclusion:

 

Zero-day vulnerabilities are difficult to predict and detect in advance; hence zero days are very dangerous for any organization’s cyber infrastructure. The Storm-0978 group identified and exploited a zero-day vulnerability (CVE-2023-36884) in Microsoft Office to compromise multiple systems and performed espionage and ransomware operations.

The attackers used the RomCom variant for espionage, and Underground Ransomware was deployed for ransomware operations. The campaign indicates that Storm-0978 is a highly sophisticated group that seems to be also targeting multiple organizations in the future.

Recommendations

 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Block process creations originating from PsExec and WMI commands – Microsoft recommends that some organizations might experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI, including Impacket’s WMIexec.
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion.

Safety Measures Needed to Prevent Ransomware Attacks

• Conduct regular backup practices and keep those backups offline or in a separate network.
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
• Refrain from opening untrusted links and email attachments without verifying their authenticity.

See Cyble Vision in Action

Users Should Take the Following Steps After the Ransomware Attack

• Detach infected devices on the same network.
• Disconnect external storage devices if connected.
• Inspect system logs for suspicious events.

Impact of Ransomware

• Loss of Valuable data
• Loss of the organization’s reputation and integrity
• Loss of the organization’s sensitive business information
• Disruption in organization operation
• Financial loss

Remediation For CVE-2023-36884

 

• Implement a restriction to prevent all Office applications from generating child processes.
• Organizations that cannot utilize these protective measures can configure the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to prevent exploitation. However, it is important to note that while these registry settings can help mitigate the risks associated with this issue, they may impact the normal functionality of certain applications in specific use cases.
• Add the following application names as REG_DWORD values to the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION” with a data value of 1.
  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • PowerPoint.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe
  • Wordpad.exe

MITRE ATT&CK® Techniques

 

Tactic	Technique ID	Technique Name
Initial Access	T1566	Phishing
Execution	T1204	User Execution
Discovery	T1082  T1217 T1083	System Information Discovery  Browser Information Discovery File and Directory Discovery
Defense Evasion	T1070	Delete shadow drive data
Lateral Movement	T1534 T1550	Internal Spearphishing Use Alternate Authentication Material
Impact	T1486 T1490	Data encrypted for impact Inhibit System Recovery
Command and Control	T1071	Application Layer Protocol

Indicators Of Compromise

 

Indicators	Indicator   Type	Description
d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 fb4ad5d21f0d8c6755eb4addba0ac288bd2574b6 059175be5681a633190cd9631e2975f6	Sha256 Sha1 Md5	Underground Team Ransomware

References

 

• https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/
• https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html
• https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware
• https://cert.gov.ua/article/5077168
• https://www.bleepingcomputer.com/news/security/ukraines-delta-military-system-users-targeted-by-info-stealing-malware/