Unpatched Zero-day exploited in the wild
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, a remote code execution vulnerability exploited via specially crafted Microsoft Office documents spread using phishing techniques. Learn More »
Common Vulnerabilities and Exposures
Background
Storm-0978 (also referred to as RomCom) is a cybercriminal group based out of Russia, known to conduct ransomware operations. Previously, Storm-0978 has been seen using the "Industrial Spy" ransomware and a ransomware variant called "Underground". Storm-0978 is also known to target organizations with trojanized versions of popular legitimate software. Some of the identified ransomware attacks have impacted the telecommunications, finance industries, and government institutions.
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
June 2023: According to the Microsoft blog, Storm-0978 conducted a phishing campaign containing a fake OneDrive loader to deliver a backdoor with similarities to RomCom. The phishing emails were directed to defense and government entities in Europe and North America. These emails led to exploitation via the CVE-2023-36884 vulnerability.
July 11, 2023: Micosoft released a detailed blog on the campaign targeting CVE-2023-36884.
https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/
July 12, 2023: FortiGuard Labs has updated one of its IPS signature [MS.Office.RTF.File.OLE.autolink.Code.Execution] to detect and block file based triggers relating to exploitation of CVE-2023-36884 and AV updates to block known malware related to the campaign.
The IPS signature telemetry shows increased attack attempts over the last month and upto 4500+ unique IPS device detections in the month of June and July 2023.
FortiGuard Labs strongly suggests to follow Microsoft's Guide for mitigation and apply patches as soon as they become available to fully mitigate any risks.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
July 17, 2023: CISA added CVE-2023-36884 to its Known Exploited Vulnerability catalog (KEV).
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
AV
-
Vulnerability
-
AV (Pre-filter)
-
IPS
-
Outbreak Detection
-
IOC
-
Threat Hunting
-
Content Update
-
Assisted Response Services
-
Automated Response
-
NOC/SOC Training
-
End-User Training
-
Attack Surface Hardening
-
Business Reputation
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
Loading ...
References
Sources of information in support and relation to this Outbreak and vendor.