CISA ordered federal agencies to mitigate zero days of remote code execution affecting Windows and Office products that were exploited by Russian cybercriminal group RomCom in NATO phishing attacks.
Security vulnerabilities (collectively tracked as CVE-2023-36884) were also added to CISA’s list of known exploited vulnerabilities on Monday.
Under Binding Operational Directive (BOD 22-01) issued in November 2021, US Federal Civilian Executive Branch (FCEB) agencies are now required to secure Windows devices on their networks against attacks exploiting CVE-2023-36884.
Although the flaw has not yet been fixed, Microsoft has committed to providing fixes through the monthly release process or an out-of-band security update.
Until fixes are available, Redmond says customers using Defender for Office 365, Microsoft 365 Apps (Versions 2302 and higher), and those who have already enabled the “Prevent all Office applications from creating child processes” attack surface reduction rule are protected against the CVE-2023-36884 phishing attack.
Those not using these protections can add the following process names to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as REG_DWORD type values with data 1 to remove attack vector: Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPoint.exe, Visio.exe, WinProj.exe, WinWord.exe, Wordpad. exe.
However, it is also important to note that while setting this registry key will block CVE-2023-36884 attacks, it may also impact the functionality of some Microsoft Office applications.
Although the primary focus of the catalog revolves around US federal agencies, private companies are strongly advised to also prioritize patching any vulnerabilities added to CISA’s KEV catalog.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said. warned.
Exploited by Russian hackers in NATO phishing attacks
In a report released during this month’s Patch Tuesday, Microsoft confirmed that zero-days CVE-2023-36884 were exploited in targeted attacks against government entities in North America and Europe.
“The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability that was exploited before being disclosed to Microsoft via Word documents,” Redmond said.
“Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a Russia-based cybercriminal group known for running opportunistic ransomware and extortion-only operations, as well as targeted identifying information – muster campaigns that may support intelligence operations.”
“The actor’s latest campaign detected in June 2023 involved the abuse of CVE-2023-36884 to provide a backdoor with similarities to RomCom.”
According to reports compiled by BlackBerry Intelligence Team researchers And Ukrainian Computer Emergency Response Team (CERT-UA)the attackers used malicious Bureau documents posing as the Ukrainian World Congress organization to target organizations participating in the NATO summit in Vilnius.
Using this trick, they managed to trick their targets into deploying malware payloads, which included MagicSpell loader and RomCom backdoor.
The RomCom cybercrime gang was previously linked At Industrial Spy ransomware operation and has now moved on to a new strain of ransomware called Underground. In May 2022, MalwareHunterTeam also found a link to the Cuba ransomware operation while investigating the email address and TOX ID in a ransom note from Industrial Spy.