Skip to main content

Microsoft: Unpatched Office zero-day exploited in NATO summit attacks

 Microsoft disclosed today an unpatched zero-day security bug in multiple Windows and Office products exploited in the wild to gain remote code execution via malicious Office documents.

Unauthenticated attackers can exploit the vulnerability (tracked as CVE-2023-36884) in high-complexity attacks without requiring user interaction.

Successful exploitation could lead to a total loss of confidentiality, availability, and integrity, allowing the attackers to access sensitive information, turn off system protection, and deny access to the compromised system.

"Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents," Redmond said today.

"An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file."

While the flaw is not yet addressed, Microsoft says it will provide customers with patches via the monthly release process or an out-of-band security update.

Mitigation measures available

Until CVE-2023-36884 patches are available, Microsoft says customers using Defender for Office and those who have enabled the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are protected against phishing attacks attempting to exploit the bug.

Those not using these protections can add the following application names to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1:

  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • PowerPoint.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe
  • Wordpad.exe

However, it's important to note that setting this registry key to block exploitation attempts, may also impact some Microsoft Office functionality linked to the applications listed above.




Setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key (Microsoft)


Exploited in attacks targeting NATO Summit attendees

In a separate blog post, the company says the CVE-2023-36884 bug was exploited in recent attacks targeting organizations attending the NATO Summit in Vilnius, Lithuania.

As documented in reports published by Ukraine's Computer Emergency Response Team (CERT-UA) and researchers with BlackBerry's intelligence team, the attackers used malicious documents impersonating the Ukrainian World Congress organization to install malware payloads, including the MagicSpell loader and the RomCom backdoor.

"If successfully exploited, it allows an attacker to conduct a remote code execution (RCE)-based attack via the crafting of a malicious .docx or .rtf document designed to exploit the vulnerability," BlackBerry security researchers said.

"This is achieved by leveraging the specially crafted document to execute a vulnerable version of MSDT, which in turn allows an attacker to pass a command to the utility for execution."

"The actor's latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom," Microsoft also said on Tuesday.

RomCom's links to ransomware

RomCom is a Russian-based cybercriminal group (also tracked as Storm-0978) known for engaging in ransomware and extortion attacks alongside campaigns focused on stealing credentials, likely aimed at supporting intelligence operations, according to Redmond.

The gang was previously linked to the Industrial Spy ransomware operation, which has now switched to ransomware called Underground [VirusTotal].

Underground ransom note
Underground ransom note (BleepingComputer)

In May 2022, while investigating the TOX ID and email address in an Industrial Spy ransom note, MalwareHunterTeam uncovered a peculiar association with the Cuba ransomware operation.

He observed that an Industrial Spy ransomware sample generated a ransom note featuring an identical TOX ID and email address as used by Cuba, as well as links to Cuba's data leak site.

However, instead of directing users to the Industrial Spy data leak site, the provided link led to Cuba Ransomware's Tor site. Additionally, the ransom note used the same file name, !! READ ME !!.txt, just as previously identified Cuba ransom notes.

Comments

Post a Comment

Popular posts from this blog

Apple Issues Urgent Patch for Zero-Day Flaw Targeting iOS, iPadOS, macOS, and Safari

  Zero-Day / Endpoint Security Apple has released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to  address  a zero-day flaw that it said has been actively exploited in the wild. The WebKit bug, cataloged as  CVE-2023-37450 , could allow threat actors to achieve arbitrary code execution when processing specially crafted web content. The iPhone maker said it addressed the issue with improved checks. Credited with discovering and reporting the flaw is an anonymous researcher. As with most cases like this, there are scant details about the nature and the scale of the attacks and the identity of the threat actor behind them. But Apple noted in a terse advisory that it's "aware of a report that this issue may have been actively exploited." The updates, iOS 16.5.1 (a), iPadOS 16.5.1 (a), macOS Ventura 13.4.1 (a), and Safari 16.5.2, are available for devices running the following operating system versions: iOS 16.5.1 and iPadOS 16.5.1 macOS Ventu
Post a Comment
Read more

Critical Security Flaw in Social Login Plugin for WordPress Exposes Users' Accounts

Website Security / Vulnerability A critical security flaw has been disclosed in miniOrange's  Social Login and Register plugin  for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known. Tracked as CVE-2023-2982 (CVSS score: 9.8), the authentication bypass flaw impacts all versions of the plugin, including and prior to 7.6.4. It was addressed on June 14, 2023, with the release of version 7.6.5 following responsible disclosure on June 2, 2023. "The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address," Wordfence researcher István Márton  said . The issue is rooted in the fact that the encryption key used to secure the information during login using social media accounts is hard-coded, thus leading to a scenario where attackers could create a
Read more

Threat Group Continuously Updates Malware to Evade Antivirus Software

  Julien Maury November 7, 2022 Kaspersky researchers recently found evidence of an  advanced threat  group continuously updating its  malware  to evade security products, similar to a release cycle for developers. Kaspersky  revealed  that APT10, also known as the Cicada hacking group, has successfully deployed the LODEINFO malware in government, media, public sector, and diplomatic organizations in Japan. LODEINFO has been  observed  engaged in a spear- phishing  campaign since December 2019 by JPCERT/CC. The sophisticated malware was hidden in malicious Word file attachments. So far, nothing unusual for a sophisticated threat actor, but JPCERT/CC concluded that LODEINFO was “under development,” as they found the version number “v0.1.2” during their investigation. Kaspersky researchers have been tracking the malware since then, and they’ve discovered evidence revealing “high-confidence attribution to APT10.” They observed another spear-phishing campaign in March 2022. The malicious W
Post a Comment
Read more