Date: 12-07-2023
On the 11th of July 2023 Microsoft has released that they are investigating reports of a series of remote code execution vulnerabilities in Windows and Office products, known as CVE-2023-36884.[1] This vulnerability requires an attacker to create a specially crafted Microsoft Office document and convince a victim to open this malicious document.
In June of 2023 the known threat actor Storm-0978 has been identified to be abusing this vulnerability in phishing campaigns targeting defence and government entities in Europe and North America. They are most likely espionage-driven. The phishing campaigns involved a lure related to the Ukrainian World Congress.[2] This lure is, of course, interchangeable.
As of the time of writing, Microsoft has not yet released a security patch. Once their investigation has completed, they will either release a patch separately in an out-of-cycle security update, or include it in the monthly release process.[1] A list of currently known steps to mitigate the vulnerability can be found below, under “Mitigation”.
Impact
Northwave estimates the impact of these vulnerabilities as high. If an attacker successfully exploits the vulnerabilities he can perform remote code execution on hosts where a Microsoft Office document is opened in the context of the user that opened it. This can enable an attacker to gain control over the user’s system. Therefore we estimate the impact of the vulnerabilities as high.
Risk
Northwave estimates the risk of these vulnerabilities as high. The vulnerabilities are reported to have been actively exploited before they were disclosed to Microsoft. Since the impact of the vulnerabilities is high and it is being actively exploited, we classify the risk of the vulnerabilities as high.
Mitigation
At the time of writing, the vulnerability can be mitigated as follows:[1]
- Users of Microsoft Defender for Office are protected from attachments that attempt to exploit the vulnerability
- Microsoft 365 Defender users can turn on Attack Surface Reduction (ASR) rules to prevent common attack techniques used in ransomware attacks. Specifically, blocking all Office applications from creating child processes will prevent the vulnerability from being exploited.
- Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. Add the following application names to this registry key as values of type REG_DWORD with data 1. :
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
- Excel.exe
- Graph.exe
- MSAccess.exe
- MSPub.exe
- PowerPoint.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
Further, more general, mitigation steps include[2]:
- Turn on cloud-delivered protection or the equivalent for your antivirus product as this will help block rapidly evolving attacker tools and techniques.
- Run EDR in block mode, this will help prevent malicious code from executing when detected by the EDR.
- Enable investigation and remediation in full automated mode to allow the EDR to take immediate action on alerts to resolve breaches.
- Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new and evolving threats. Specifically Safe Attachments and Safe Links protection should be enabled for users with Zero-hour Auto Purge to remove emails when a URL is weaponised post-delivery.
What should you do?
Follow the mitigations as closely as possible and apply security updates as soon as they become available.
What will Northwave do?
The Northwave SOC will monitor EDR alerts with extra care and continues to assess if additional detection rules need to be implemented as more information becomes available. Northwave will continue to monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
Phone number: +31 (0)30-303 1244 (during business hours)
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909
Disclaimer applies, see below.
Sources
Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.