While the flaw is yet to be addressed, Microsoft has committed to delivering patches through the monthly release process or an out-of-band security update.
CISA orders govt agencies to mitigate Windows and Office zero-days
- July 18, 2023
- 04:41 AM
- 1
CISA ordered federal agencies to mitigate remote code execution zero-days affecting Windows and Office products that were exploited by the Russian-based RomCom cybercriminal group in NATO phishing attacks.
The security flaws (collectively tracked as CVE-2023-36884) have also been added to CISA's list of Known Exploited Vulnerabilities on Monday.
Under the binding operational directive (BOD 22-01) issued in November 2021, U.S. Federal Civilian Executive Branch Agencies (FCEB) are now required to secure Windows devices on their networks against attacks exploiting CVE-2023-36884.
Until patches are available, Redmond says customers using Defender for Office 365, Microsoft 365 Apps (Versions 2302 and later), and those who already enabled the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are protected against CVE-2023-36884 phishing attacks.
Those not using these protections can add the following process names to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1 to remove the attack vector: Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPoint.exe, Visio.exe, WinProj.exe, WinWord.exe, Wordpad.exe.
Even though the primary focus of the catalog revolves around U.S. federal agencies, it is strongly advised that private companies also prioritize patching all vulnerabilities added to CISA's KEV catalog.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.
Exploited by Russian hackers in NATO phishing attacks
"The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents," Redmond said.
"Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations."
- "The actor's latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom."
Through this ruse, they successfully tricked their targets to deploy malware payloads, which included the MagicSpell loader and the RomCom backdoor.
- The RomCom cybercrime gang was previously linked to the Industrial Spy ransomware operation and has now switched to a new ransomware strain called Underground.
- In May 2022, MalwareHunterTeam also found a link to the Cuba ransomware operation while investigating the email address and TOX ID in an Industrial Spy ransom note.
No comments:
Post a Comment