Microsoft disclosed right now an unpatched zero-day safety bug in a number of Home windows and Workplace merchandise exploited within the wild to achieve distant code execution by way of malicious Workplace paperwork.
Unauthenticated attackers can exploit the vulnerability (tracked as CVE-2023-36884) in high-complexity assaults with out requiring consumer interplay.
Profitable exploitation may result in a complete lack of confidentiality, availability, and integrity, permitting the attackers to entry delicate data, flip off system safety, and deny entry to the compromised system.
“Microsoft is investigating experiences of a sequence of distant code execution vulnerabilities impacting Home windows and Workplace merchandise. Microsoft is conscious of focused assaults that try to take advantage of these vulnerabilities by utilizing specially-crafted Microsoft Workplace paperwork,” Redmond stated right now.
“An attacker may create a specifically crafted Microsoft Workplace doc that allows them to carry out distant code execution within the context of the sufferer. Nonetheless, an attacker must persuade the sufferer to open the malicious file.”
Whereas the flaw shouldn’t be but addressed, Microsoft says it’ll present clients with patches by way of the month-to-month launch course of or an out-of-band safety replace.
Mitigation measures out there
Till CVE-2023-36884 patches can be found, Microsoft says clients utilizing Defender for Workplace and people who have enabled the “Block all Workplace purposes from creating baby processes” Assault Floor Discount Rule are protected towards phishing assaults making an attempt to take advantage of the bug.
These not utilizing these protections can add the next utility names to the HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftInternet ExplorerMainFeatureControlFEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of kind REG_DWORD with knowledge 1:
- Excel.exe
- Graph.exe
- MSAccess.exe
- MSPub.exe
- PowerPoint.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
Nonetheless, it is necessary to notice that setting this registry key to dam exploitation makes an attempt, may additionally influence some Microsoft Workplace performance linked to the purposes listed above.
Exploited in assaults focusing on NATO Summit attendees
In a separate weblog submit, the corporate says the CVE-2023-36884 bug was exploited in latest assaults focusing on organizations attending the NATO Summit in Vilnius, Lithuania.
As documented in experiences printed by Ukraine’s Pc Emergency Response Workforce (CERT-UA) and researchers with BlackBerry’s intelligence crew, the attackers used malicious paperwork impersonating the Ukrainian World Congress group to put in malware payloads, together with the MagicSpell loader and the RomCom backdoor.
“If efficiently exploited, it permits an attacker to conduct a distant code execution (RCE)-based assault by way of the crafting of a malicious .docx or .rtf doc designed to take advantage of the vulnerability,” BlackBerry safety researchers stated.
“That is achieved by leveraging the specifically crafted doc to execute a weak model of MSDT, which in flip permits an attacker to cross a command to the utility for execution.”
“The actor’s newest marketing campaign detected in June 2023 concerned abuse of CVE-2023-36884 to ship a backdoor with similarities to RomCom,” Microsoft additionally stated on Tuesday.
RomCom’s hyperlinks to ransomware
RomCom is a Russian-based cybercriminal group (additionally tracked as Storm-0978) identified for participating in ransomware and extortion assaults alongside campaigns targeted on stealing credentials, probably geared toward supporting intelligence operations, in accordance with Redmond.
The gang was beforehand linked to the Industrial Spy ransomware operation, which has now switched to ransomware known as Underground [VirusTotal].
In Might 2022, whereas investigating the TOX ID and electronic mail handle in an Industrial Spy ransom notice, MalwareHunterTeam uncovered a peculiar affiliation with the Cuba ransomware operation.
He noticed that an Industrial Spy ransomware pattern generated a ransom notice that includes an an identical TOX ID and electronic mail handle as utilized by Cuba, in addition to hyperlinks to Cuba’s knowledge leak website.
Nonetheless, as a substitute of directing customers to the Industrial Spy knowledge leak website, the offered hyperlink led to Cuba Ransomware’s Tor website. Moreover, the ransom notice used the identical file title, !! READ ME !!.txt, simply as beforehand recognized Cuba ransom notes.
