CISA ordered federal agencies to mitigate remote code execution zero-days affecting Windows and Office products that were exploited by the Russian-based RomCom cybercriminal group in NATO phishing attacks.
The security flaws (collectively tracked as CVE-2023-36884) have also been added to CISA’s list of Known Exploited Vulnerabilities on Monday.
Under the binding operational directive (BOD 22-01) issued in November 2021, U.S. Federal Civilian Executive Branch Agencies (FCEB) are now required to secure Windows devices on their networks against attacks exploiting CVE-2023-36884.
While the flaw is yet to be addressed, Microsoft has committed to delivering patches through the monthly release process or an out-of-band security update.
Until patches are available, Redmond says customers using Defender for Office 365, Microsoft 365 Apps (Versions 2302 and later), and those who already enabled the “Block all Office applications from creating child processes” Attack Surface Reduction Rule are protected against CVE-2023-36884 phishing attacks.
Those not using these protections can add the following process names to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1 to remove the attack vector: Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPoint.exe, Visio.exe, WinProj.exe, WinWord.exe, Wordpad.exe.
However, it’s also important to note that while setting this registry key will block CVE-2023-36884attacks, it may also impact some Microsoft Office apps’ functionality.
Even though the primary focus of the catalog revolves around U.S. federal agencies, it is strongly advised that private companies also prioritize patching all vulnerabilities added to CISA’s KEV catalog.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
Exploited by Russian hackers in NATO phishing attacks
In a report published during this month’s Patch Tuesday, Microsoft confirmed that the CVE-2023-36884 zero-days were exploited in targeted attacks against government entities across North America and Europe.
“The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents,” Redmond said.
“Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations.”
“The actor’s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.”
According to reports compiled by researchers from BlackBerry’s intelligence team and Ukraine’s Computer Emergency Response Team (CERT-UA), the attackers used malicious Office documents that impersonated the Ukrainian World Congress organization to target organizations participating in the NATO Summit in Vilnius.
Through this ruse, they successfully tricked their targets to deploy malware payloads, which included the MagicSpell loader and the RomCom backdoor.
The RomCom cybercrime gang was previously linked to the Industrial Spy ransomware operation and has now switched to a new ransomware strain called Underground. In May 2022, MalwareHunterTeam also found a link to the Cuba ransomware operation while investigating the email address and TOX ID in an Industrial Spy ransom note.