In a critical security warning, Microsoft has alerted the public to the presence of unpatched vulnerabilities in their Windows and Office products. These vulnerabilities are actively being exploited by Russian spies and fraudsters, posing a significant risk to organizations and individuals alike. This comprehensive blog post aims to provide you with a thorough understanding of the situation, including a detailed risk assessment, exploit details, indicators of compromise (IOCs), and vital mitigation steps. It is of utmost importance to take immediate action and fortify your systems against these targeted attacks.
- Risk Assessment: CVE-ID CVSSv3 Score The specific vulnerability identified as CVE-2023-36884 has been assigned a high CVSSv3 score of 8.3, reflecting its severe impact. This vulnerability allows unauthenticated attackers to execute remote code on affected systems without requiring any user involvement.
- Exploitation of CVE-2023-36884: Recent attacks targeting organizations attending the NATO Summit in Vilnius, Lithuania have exposed the active exploitation of CVE-2023-36884. Sophisticated threat actors have utilized advanced techniques, distributing fraudulent Microsoft Office documents disguised as authentic communications from the Ukrainian World Congress organization. Through these malicious documents, the attackers successfully delivered malware payloads, including the MagicSpell loader and the RomCom backdoor.
- Technical Details and Indicators of Compromise (IOCs): To exploit CVE-2023-36884, threat actors craft malicious .docx or .rtf documents specifically designed to trigger remote code execution. By leveraging a vulnerable version of the Microsoft Support Diagnostic Tool (MSDT), attackers gain the ability to execute arbitrary commands on compromised systems. Here are the crucial Indicators of Compromise (IOCs) associated with these attacks:
Hashes (SHA256):
|
certificates_rootca.zip |
|
|
Hash |
60a7f038cad5086b85f0be169f478a6b06f59785c2138fc64c8fdce88f049968 |
|
certificates_rootCA.exe |
|
|
Hash |
f671f9c7b8d6b2553db8c563d269aa52d573857f34d58b7a9539e9d8aea9f3dd |
|
ais.exe |
|
|
Hash |
a1a8e73ff09d5b55a6156e68c56b5cbf80cc4b9957f02e6c52136654956e334d |
|
temp.cmd |
|
|
Hash |
5d3cf96ee5e42e8f3d6548dd4fcf804ef5d5844220157ae9242cadf60a3afbac |
|
Hash |
1c722ba09cdfb91fa6420b09f47aa15aaf7346d30f3974940d3bc73cdc84783f |
|
procsys.dll |
|
|
Hash |
6330248e2933a7ebdc873d05d7775f039a55b794eebdda78ca0902b110a54c31 |
|
FileInfo.dll |
|
|
Hash |
eadb75944134da5434174981bf295eed40d9b2404df8e6dbf12962b2e5075fa3 |
|
19207187.dll |
|
|
Hash |
03645ad472c8cce66b6089fb8f98bcd9027ca8ab2e01d404af09276efb84703f |
|
regInjecttNew_pumped.dll |
|
|
Hash |
4122f8a6e211a8f1064ef793022ce94f64542b9eb643927a4a7beae643eee06b |
|
customizer.dll |
|
|
Hash |
6850e8c4d3d774dfac1c5e09df3a9acc6d97b7afb66c8417ad80b5632f9e936d |
|
Libraries19208093.dll |
|
|
Hash |
14765706b2de10b6f9a90268c7690222d2ea5155c9fa24317b86e6c0231d913e |
|
rtmpak2235685807.dll |
|
|
Hash |
71dae65285224050c609c8c498160df604c6a00afa34dded6aea99ed843a21c3 |
File Paths:
- C:\Users\Public\Libraries\FileInfo.dll
- C:\Users\Public\Libraries\BrowserData\procsys.dll
- C:\Users\Public\Libraries\BrowserData\Result\
- C:\Users\Public\Libraries\BrowserData\Result\LoginData.csv
- C:\Users\Public\Libraries\BrowserData\Result\Mozilla Firefox@%USERNAME%@Cookies.csv
- C:\Users\Public\Libraries\BrowserData\Result%USERNAME%@Credits.csv
- C:\Users\Public\Libraries\BrowserData\Result%USERNAME%@History.csv
- %TMP%\ais.exe
- %TMP%\temp.cmd
- %TMP%\19207187.dll (filename is dynamic)
- %TMP%[0-9]+.dll
- C:\Users\Public\Libraries19208093.dll (filename is dynamic)
- C:\Users\Public\Libraries[0-9]+.dll
- C:\Users\Public\Libraries\rtmpak1981674535.dll0 (filename is dynamic)
- C:\Users\Public\Libraries\rtmpak[0-9]+.dll0
- rundll32.exe %TMP%\19207187.dll,MimeSource
- rundll32.exe C:\Users\Public\Libraries\rtmpak2235685807.dll0,fIt
- rundll32.exe C:\Users\Public\Libraries\BrowserData\procsys.dll,stub
- rundll32.exe C:\Users\Public\Libraries\FileInfo.dll,fSt
- %FTP_LOGIN%:%FTP_PASSWORD%:%CAMPAIGN_ID%
- cmd.exe /c C:\Users\Public\Libraries\temp.cmd C:\Users\Public\Libraries\FileInfo.dll
- cmd.exe /c %TMP%\temp.cmd %TMP%\ais.exe
- C:\Users%USERNAME%\Desktop\certificates_rootCA.exe
- nltest /domain_trusts
URLs and Domains:
- hxxps://delta.mil.gov.ua.delta-storages[.]com/certificates/update
- hxxps://delta.mil.gov.ua.delta-storages[.]com/certificates/windows/certificates_rootca.zip
- hxxps://46.249.49[.]109:4444
- hxxps://hexactor[.]com:4444
- ftp://46.249.49[.]109
- delta.mil.gov.ua.delta-storages[.]com
- delta-storages[.]com (registered on 2022-12-15; registrar: @webnic[.]cc)
- hexactor[.]com (registered on 2022-11-12; registrar: @namesilo[.]com; email: gor4j3d@proton[.]me)
- 46.249.49[.]109 (provider: @serverius[.]net)
4. Recommended Mitigation Steps: To effectively mitigate the risks posed by these unpatched Office zero-day attacks, it is crucial to implement the following mitigation steps:
4.1. Leverage Microsoft Defender for Office Protection: Utilize Microsoft Defender for Office to defend against attachments attempting to exploit this vulnerability. Ensure that your Office environment is configured to maximize the effectiveness of this essential security feature.
4.2. Implement Attack Surface Reduction Rule: Implement the "Block all Office applications from creating child processes" Attack Surface Reduction Rule to proactively prevent exploitation within existing attack chains. By restricting the creation of child processes, you can significantly mitigate the risk posed by these attacks.
4.3. Configure the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION Registry Key: For organizations unable to implement the above protections, configuring the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key provides an additional layer of defense. However, exercise caution as this configuration may impact regular functionality in specific use cases. Add the following application names as REG_DWORD values (data 1) in the registry key:
- Excel.exe
- Graph.exe
- MSAccess.exe
- MSPub.exe
- PowerPoint.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
References:
- BleepingComputer: Microsoft unpatched Office zero-day exploited in NATO Summit attacks
- Microsoft Security Blog: Storm-0978 attacks reveal financial and espionage motives
- Azure Sentinel GitHub Repository:
- Attacker Tools Threat Protection Essentials Hunting Queries
- Windows Security Events Hunting Queries
- BleepingComputer: Ukraine's Delta military system users targeted by info-stealing malware
- Cert.gov.ua: Article on Storm-0978 attacks
- Microsoft Security Response Center: Vulnerability Information for CVE-2023-36884
Take immediate action to fortify your Office environment and safeguard your systems against these active zero-day attacks!
Conclusion: The presence of unpatched Office zero-day vulnerabilities being actively exploited by Russian spies and fraudsters demands immediate attention and decisive action. The security of your systems and data is paramount in the face of evolving cyber threats. By following the recommended mitigation steps outlined in this blog post and closely monitoring the provided Indicators of Compromise (IOCs), you can significantly reduce the risk of falling victim to these targeted attacks.
At digiALERT, we prioritize cybersecurity consulting and offshore delivery center services to help organizations protect themselves against such threats. Stay informed and remain vigilant by regularly updating your software and implementing the necessary security measures. Microsoft is actively working to address these vulnerabilities and is committed to providing patches through the monthly release process or out-of-band security updates.
Your proactive approach in securing your systems will play a crucial role in safeguarding sensitive information and preventing potential damages caused by these exploits. Trust in the expertise and guidance of digiALERT to ensure the highest level of cybersecurity for your organization.
Stay secure, stay protected!
