Microsoft warns Office admins to block exploitation of zero-day hole

IT administrators with Microsoft Office in their environments are being urged to take action after the discovery of a previously unknown vulnerability being leveraged by a Russian-based cyber-criminal group.

The vulnerability, CVE-2023-36884, described as an HTML remote code execution vulnerability involving specially-crafted Microsoft Office documents, wasn’t patched yesterday in the Patch Tuesday fixes that Microsoft released.

An attacker would have to convince the victim to open the malicious file, meaning security awareness warnings for employees will help reduce the odds of compromise.

IT departments that use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability. Those that don’t should check with their anti-virus/anti-malware providers to see if those applications have been updated to prevent exploitation. In addition, setting the Block all Office applications from creating child processes Attack Surface Reduction Rule will prevent the vulnerability from being exploited.

Another option is to set the Windows FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key, adding the names of Microsoft applications such as Excel.exe, Graph.exe, MSAccess.exe to avoid exploitation. Microsoft cautions that while these registry settings would mitigate exploitation of this issue, they could affect regular functionality for certain use cases related to these applications.

Microsoft said it might provide an out-of-cycle security update to fix this hole.

It became aware of the vulnerability through its own intelligence, and from security researchers of a phishing campaign by a Russian-based group it dubs Storm-0978. Others call this group RomCom because it distributes the RomCom backdoor. The targets of this attack were defense and government organizations in Europe and North America with an interest in Ukraine.

Specifically, last month, phishing lures were sent with a subject line relating to this week’s meeting of NATO heads of state in Lithuania. The message pretended to be an invitation from the Ukrainian World Congress to attend the summit. Attached to the email was an infected document or documents explaining the Congress’ positions for the meeting.

However, the documents include a fake OneDrive loader to deliver a backdoor with similarities to RomCom.

Separately, this threat group was seen trying to deliver ransomware against an unrelated target using the same initial payloads.

Last week, BlackBerry issued a warning about infected Word documents allegedly from the Ukrainian World Congress, although it didn’t explain how they were being distributed. The campaign involved creation of a look-alike Ukrainian World Congress website. The key difference: The real website ends in .org, while the fake website ends in .info.

The execution chain in the malware found by BlackBerry uses CVE-2022-30190, a zero-day vulnerability also called Follina that was patched last year, which affects Microsoft’s Support Diagnostic Tool (MSDT). The ultimate goal is the installation of the RomCom backdoor.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs