Microsoft warns that threat actors are actively exploiting an unpatched zero-day present in several Windows and Office products. The bug enables malicious actors to gain remote code execution via malicious Office documents.
The campaign was seen in Europe and North America, with vulnerability observed in attacks targeting organizations that attended the NATO Summit in Vilnius.
Threat actors impersonated the Ukrainian World Congress organization to trick the victims into accessing malicious documents.
The phishing campaign attempting to spread the malicious files is conducted by a threat actor tracked as Storm-0978, also known as RomCom. Storm-0978 or RomCom is a Russian-based threat group and is known as sophisticated attacks.
Microsoft reports that in June 2023, Storm-0978 launched a phishing campaign, containing a fake OneDrive loader to deliver a backdoor with similarities to RomCom.
CVE-2023-36884 is an Office and Windows HTML RCE Vulnerability. Threat actors can exploit it for high complexity attacks, and it does not require authentication or user interaction.
If the attack succeeds, hackers will be able to access sensitive information, disable system protection, and restrict access to the compromised system.
An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.
CVE-2023-36884 Mitigation Measures
According to Microsoft, all customers who use Microsoft Defender for Office are safe from malicious attachments that might try to exploit this vulnerability.
Microsoft also recommends two other mitigation measures against the zero-day vulnerability:
- Using the Block all Office applications from creating child processes Attack Surface Reduction Rule prevents exploiting CVE-2023-36884.
- Alternatively, the settings below can be used. FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation is a solution. In this case, Microsoft warns:
Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.
Thus, the company recommends adding the following application names to the registry key as values of type REG_DWORD with data 1.: