Attackers Exploit Unpatched Windows Zero-Day Vulnerability

A zero-day vulnerability (CVE-2023-36884) affecting Microsoft Windows and Office products is being exploited by attackers in the wild. To date, the exploit has been used in highly targeted attacks against organizations in the government and defense sectors in Europe and North America.

The vulnerability was disclosed yesterday (July 11) by Microsoft, which said that an attacker could create a specially crafted Microsoft Office document that enables remote code execution on the target’s computer. In order for the exploit to succeed, the victim needs to open the malicious file. No patch has been released yet for the vulnerability. However, Microsoft is still investigating the issue and said a patch may be rolled out in its monthly release process or in an out-of-cycle security update. The company provided some mitigation guidance in its advisory.

How is the vulnerability being exploited?

According to a separate blog published by Microsoft, the vulnerability was being exploited by an actor it calls Storm-0978 (aka RomCom) in targeted attacks against defense and government organizations in Europe and North America. The exploit was contained in Microsoft Word documents that masqueraded as information about the Ukrainian World Congress.

The attacks were earlier documented by BlackBerry on July 8, which noted that the targets were guests for the upcoming NATO Summit. At the time, the use of the zero-day in the attacks was unknown.

Who is Storm-0978/RomCom?

Storm-0978/RomCom is a Russia-linked threat actor that has been involved in both espionage and cyber-crime activity. The group acquired its name through its use of the RomCom remote access Trojan (RAT). 

There are strong ties between it and a group Symantec calls Hawker, which is the developer of the Cuba ransomware family. The U.S Cybersecurity and Infrastructure Security Agency (CISA) has said that there are possibly links between Hawker, RomCom, and the Industrial Spy ransomware actors. A report published last year by Palo Alto also detailed how RomCom (whom it calls Tropical Scorpius) used the RomCom RAT to deliver the Cuba ransomware payload to victims.

While it is clear that there are strong ties between Storm-0978/RomCom and Hawker, it is unclear yet whether the two actors are one and the same. 

How severe is this vulnerability?

Until a patch is released, organizations should adopt all possible mitigation strategies. Although the vulnerability has, to date, been exploited in targeted attacks, news of its existence will doubtlessly lead other attackers to attempt to replicate the exploit.

Protection/Mitigation

Email-based

• Coverage is in place for Symantec’s email security products

File-based

• Trojan.Mdropper
• WS.Malware.1

Network-based

• Web Attack: Webpulse Bad Reputation Domain Request

Web-based

• Observed domains/IPs are covered under security categories in all WebPulse enabled products

Symantec is continuing to investigate further possible protection based on available information, and additional signatures may be introduced as analysis progresses. 

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.

a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f

e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539

d3263cc3eff826431c2016aee674c7e3e5329bebfb7a145907de39a279859f4a

3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97