• Language chooser
    • USA (English)
    • France (Français)

virus logo Outbreak Alert

Microsoft Office and Windows HTML RCE Vulnerability

Released: Jul 13, 2023

Updated: Jul 17, 2023

Download PDF »

Microsoft Office and Windows HTML Attack

High Severity

Microsoft Windows, MS Office(Word/Excel) Platform

Microsoft Vendor

Vulnerability, Attack Type

Unpatched Zero-day exploited in the wild

Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, a remote code execution vulnerability exploited via specially crafted Microsoft Office documents spread using phishing techniques. Learn More »

Common Vulnerabilities and Exposures

CVE-2023-36884

Background

Storm-0978 (also referred to as RomCom) is a cybercriminal group based out of Russia, known to conduct ransomware operations. Previously, Storm-0978 has been seen using the "Industrial Spy" ransomware and a ransomware variant called "Underground". Storm-0978 is also known to target organizations with trojanized versions of popular legitimate software. Some of the identified ransomware attacks have impacted the telecommunications, finance industries, and government institutions.

Threat Radar Overall Score:
CVSS Rating 7.0
FortiRecon Score 79/100
Known Exploited Yes
Exploit Prediction Score 49.12%
FortiGuard Telemetry 3581

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


June 2023: According to the Microsoft blog, Storm-0978 conducted a phishing campaign containing a fake OneDrive loader to deliver a backdoor with similarities to RomCom. The phishing emails were directed to defense and government entities in Europe and North America. These emails led to exploitation via the CVE-2023-36884 vulnerability.

July 11, 2023: Micosoft released a detailed blog on the campaign targeting CVE-2023-36884.
https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/


July 12, 2023: FortiGuard Labs has updated one of its IPS signature [MS.Office.RTF.File.OLE.autolink.Code.Execution] to detect and block file based triggers relating to exploitation of CVE-2023-36884 and AV updates to block known malware related to the campaign.

The IPS signature telemetry shows increased attack attempts over the last month and upto 4500+ unique IPS device detections in the month of June and July 2023.

FortiGuard Labs strongly suggests to follow Microsoft's Guide for mitigation and apply patches as soon as they become available to fully mitigate any risks.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

July 17, 2023: CISA added CVE-2023-36884 to its Known Exploited Vulnerability catalog (KEV).

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • AV

  • Vulnerability

  • AV (Pre-filter)

  • IPS

DETECT

  • Outbreak Detection

  • IOC

  • Threat Hunting

  • Content Update

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Attack Surface Hardening

  • Business Reputation

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
d41d8cd98f00b204e9800998ecf8427e file Active
45.9.148.123 ip Active
a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec2... file Active
d4a847fa9c4c7130a852a2e197b205493170a8b44426d9e... file Active
104.234.239.26 ip Active
65.21.27.250 ip Active
74.50.94.156 ip Active
finformservice.com domain Active
http://104.234.239.26/share1/MSHTML_C7/ex001.url url Active
http://104.234.239.26/share1/MSHTML_C7/ex001.zi... url Active
http://104.234.239.26/share1/MSHTML_C7/file001.url url Active
http://74.50.94.156/MSHTML_C7/RFile.asp url Active
http://74.50.94.156/MSHTML_C7/start.xml url Active
http://finformservice.com/ url Active
ukrainianworldcongress.info domain Active
07377209fe68a98e9bca310d9749daa4eb79558e9fc419c... file Active
3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a226... file Active
48142dc7fe28a5d8a849fff11cb8206912e8382314a2f05... file Active
7a1494839927c20a4b27be19041f2a2c2845600691aa9a2... file Active
c187aa84f92e4cb5b2d9714b35f5b892fa14fec52f2963f... file Active
ee46f8c9769858aad6fa02466c867d7341ebe8a59c21e06... file Active
f08cc922c5dab73f6a2534f8ceec8525604814ae7541688... file Active
e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6... file Active
https://www.ukrainianworldcongress.info/sites/d... url Active
https://www.ukrainianworldcongress.info/sites/d... url Active
uwcukraine@ukrainianworldcongress.info email Active
94.232.40.34 ip Active
1a7bb878c826fe0ca9a0677ed072ee9a57a228a09ee02b3... file Active
bentaxworld.com domain Active
74.50.94.156:3389 ip Active
baltimata.org domain Active
d3263cc3eff826431c2016aee674c7e3e5329bebfb7a145... file Active
http://104.234.239.26/share1/MSHTML_C7/file.url url Active
138.124.183.8 ip Active
209.127.116.190 ip Active
209.127.116.190:3389 ip Active
209.159.147.170 ip Active
209.159.147.170:3389 ip Active
45.9.148.118 ip Active
0c72b2479316b12073d26c6ed74d3bdc file Active
0fff39ae5d049967c2c74db71eeda904 file Active
218a069f4711d84100062d01a41d960f file Active
26a6a0c852677a193994e4a3ccc8c2eb file Active
3ca154da4b786a7c89704d0447a03527 file Active
476274dc8efda182acd47ac0a5362a5a file Active
510823c639f6a608b59d78b71be50aab file Active
54cfc7f45302d9793af97bd7d33c6e9a file Active
70560aff35f1904f822e49d3316303877819eef8 file Active
76f918cbfa4075101a61aac74582f755 file Active
7bbe0e887420d55e43ce1968932e1736 file Active
7fd97c71ef08a0f066ce4fbf465d1062 file Active
8639c28a3fba0912fcf563b31f97d300 file Active
a38aa3eaf3ffb79fbd50f503ccea2f25 file Active
e65a1828d6afe3f27b4ec7ec1a2fee20 file Active
e6f8b0299ca4d44bf09dc4e443fb503c file Active
f0cd84693a7481834fa021496c3ec9e9 file Active
f49a0d153660cf95d7113c1d65e176ff file Active
fe8a942370a6881ee9d93f907cae7aa5 file Active
0896e7c5433b2d426a30a43e7f4ef351fa870be8bd33695... file Active
0adb2734a1ca0ccaf27d8a46c08b2fd1e19cb1fbd3fea6d... file Active
20f58bd5381509072e46ad79e859fb198335dcd49c2cb73... file Active
3d0dae359325e8e96cf46459c38d086279865457379bd63... file Active
4fc768476ee92230db5dbc4d8cbca49a71f8433542e62e0... file Active
b5731baa7920b4649add429fc4a025142ce6a1e1adacb45... file Active
bfe3ebcc92a4a7d294b63ce0d7eba6313980d982709a27b... file Active
c94e2bfd4e2241fed42113049c84ac333fcff340cc202af... file Active
cdc39ce48f8f587c536450a3bd0feb58bf40b59b3105697... file Active
fd4fd44ff26e84ce6587413271cf7ff3960471a55eb0d51... file Active
http://104.234.239.26/share1/MSHTML_C7/1 url Active
http://74.50.94.156/MSHTML_C7/zip_k.asp url Active
http://74.50.94.156/MSHTML_C7/zip_k2.asp url Active
http://74.50.94.156/MSHTML_C7/zip_k3.asp url Active
https://www.ukrainianworldcongress.info/sites/d... url Active
www.ukrainianworldcongress.info domain Active
ae2afc3652ddaffe79bc53bb63ea9ccf file Active
ed315c3b36a83206dfd1bba013b91575 file Active

References

Sources of information in support and relation to this Outbreak and vendor.


Bleeping Computer

Learn More »
Security Week

Learn More »
About FortiGuard Outbreak Alerts

Learn More »