Microsoft Office and Windows HTML RCE Vulnerability

Released: Jul 13, 2023

Updated: Jul 17, 2023


High Severity

Microsoft Windows, MS Office(Word/Excel) Platform

Microsoft Vendor

Vulnerability, Attack Type


Unpatched Zero-day exploited in the wild

Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, a remote code execution vulnerability exploited via specially crafted Microsoft Office documents spread using phishing techniques. Learn More »

Common Vulnerabilities and Exposures

CVE-2023-36884

Background

Storm-0978 (also referred to as RomCom) is a cybercriminal group based out of Russia, known to conduct ransomware operations. Previously, Storm-0978 has been seen using the "Industrial Spy" ransomware and a ransomware variant called "Underground". Storm-0978 is also known to target organizations with trojanized versions of popular legitimate software. Some of the identified ransomware attacks have impacted the telecommunications, finance industries, and government institutions.

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


June 2023: According to the Microsoft blog, Storm-0978 conducted a phishing campaign containing a fake OneDrive loader to deliver a backdoor with similarities to RomCom. The phishing emails were directed to defense and government entities in Europe and North America. These emails led to exploitation via the CVE-2023-36884 vulnerability.

July 11, 2023: Micosoft released a detailed blog on the campaign targeting CVE-2023-36884.
https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/


July 12, 2023: FortiGuard Labs has updated one of its IPS signature [MS.Office.RTF.File.OLE.autolink.Code.Execution] to detect and block file based triggers relating to exploitation of CVE-2023-36884 and AV updates to block known malware related to the campaign.

The IPS signature telemetry shows increased attack attempts over the last month and upto 4500+ unique IPS device detections in the month of June and July 2023.

FortiGuard Labs strongly suggests to follow Microsoft's Guide for mitigation and apply patches as soon as they become available to fully mitigate any risks.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884

July 17, 2023: CISA added CVE-2023-36884 to its Known Exploited Vulnerability catalog (KEV).

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT
  • AV

  • Vulnerability

  • AV (Pre-filter)

  • IPS

DETECT
  • Outbreak Detection

  • IOC

  • Threat Hunting

  • Content Update

RESPOND
  • Assisted Response Services

  • Automated Response

RECOVER
  • NOC/SOC Training

  • End-User Training

IDENTIFY
  • Attack Surface Hardening

  • Business Reputation

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days

Chg

Avg 0

References

Sources of information in support and relation to this Outbreak and vendor.