Summary
- A zero-day vulnerability (CVE-2023-36884) is being exploited in the wild to target those with an interest in Ukraine.
- The vulnerability allows attackers to execute malicious code on a victim’s computer by tricking them into opening a specially crafted Microsoft Office document.
- The attacks are being carried out by a group known as Storm-0978, which is also known for distributing trojanized versions of popular software and launching ransomware attacks.
- Microsoft recommends that organizations use Microsoft Defender for Office 365 or the Block all Office applications from creating child processes attack surface reduction rule to protect themselves from this vulnerability.
- Organizations can also consider blocking outbound SMB traffic.
Other details
- The phishing campaign that is being used to deliver the malicious Office documents is targeting defense and government entities in Europe and North America.
- The bait used in the phishing emails is related to the Ukrainian World Congress, a non-profit organization of Ukrainian public organizations in diaspora.
- Once a victim opens the malicious Office document, the attacker can execute arbitrary code on their computer.
- The attacker can then use this code to steal data, install malware, or take control of the victim’s computer.
Microsoft’s CVE-2023-36884 specific recommendations
- Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
- In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
- Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.
Other recommendation:
- You could also consider blocking outbound SMB traffic.
You must log in or # to comment.