CVE-2023-36884 MS Office Zero-Day Vulnerability Exploited For Espionage - Detection and Mitigation

Microsoft Threat Intelligece has identified threat actors abusing a recently disclosed vulnerability, CVE-2023-36884, in phishing campaigns containing malicious Word documents against government entities in Europe and North America. CVE-2023-36884 was disclosed along with three other vulnerabilities by Google TAG, no patch was released for the vulnerability and only mitigations are available.

Threat Actor: Storm-0978 (RomCom)

Storm-0978, also known as RomCom is a Russian threat actor known for ransomware, espionage operations, and targeted credential-gathering campaigns. Their latest campaign was last detected in June 2023 involving abuse of CVE-2023-36884 to deliver backdoors over phishing emails according to Microsoft Threat Intelligence.

Mitigate CVE-2023-36884

CVE-2023-36884 can be mitigated via Attack Surface Reduction Rules or by performing registry key modifications to disable certain features in Windows. It is recommended to apply the mitigations as no patches are available.

Attack Surface Reduction Rules

Enable the following ASR Rules in Microsoft Defender.

• Block all Office applications from creating child processes

Registry Key Modification

As recommended by Microsoft, "Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. Add the following application names to this registry key as values of type REG_DWORD with data 1"

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

• Excel.exe
• Graph.exe
• MSAccess.exe
• MSPub.exe
• PowerPoint.exe
• Visio.exe
• WinProj.exe
• WinWord.exe
• Wordpad.exe

Michael Haag has created a Powershell script to perform the registry key modification. You can find it on GitHub.

Detect CVE-2023-36884

UPDATE (17/07/2023): The NextronSystems team has released sigma rules to block various techniques utilized by RomCom and possibel exploitation of CVE-2023-36884.

• Potential CVE-2023-36884 Exploitation Dropped File
• Potential CVE-2023-36884 Exploitation Pattern
• Potential CVE-2303-36884 URL Request Pattern Traffic
• Potential CVE-2023-36884 Exploitation - File Downloads
• Potential CVE-2023-36884 Exploitation - URL Marker
• Potential CVE-2023-36884 Exploitation - Share Access
• Suspicious Office Outbound Connections

Based on the recommended ASR rules, the following Sigma rule can detect an attacker exploiting CVE-2023-36884 and other Office-related TTPs. Alerts can be generated if an Office application is spawning a suspicious child process.

1title: Office Applications Calling Suspicious Child Process
2id: 89bc895e-9093-4d9f-bd68-0bda3ba303ee
3status: experimental
4description: Detects various office applications calling a suspicious child process to possibly detect CVE-2023-36884
5author: Aarush Ahuja
6date: 2023/07/12
7modified: 2023/07/12
8tags:
9    - attack.execution
10    - attack.t1137
11    - attack.t1218
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        ParentImage|endswith: 
18            - '\Excel.exe'
19            - '\Graph.exe'
20            - '\MSAccess.exe'
21            - '\MSPub.exe'
22            - '\PowerPoint.exe'
23            - '\Visio.exe'
24            - '\WinProj.exe'
25            - '\WinWord.exe'
26            - '\Wordpad.exe'
27        Image|endswith:
28            # Add more suspicious LOLBins
29            - '\powershell.exe'
30            - '\pwsh.exe'
31            - '\cmd.exe'
32            - '\mshta.exe'
33            - '\cscript.exe'
34            - '\wscript.exe'
35            - '\taskkill.exe'
36            - '\regsvr32.exe'
37            - '\rundll32.exe'
38            - '\csc.exe'  
39            - '\calc.exe' 
40    condition: selection
41falsepositives:
42    - Unknown
43level: high

The above rule is based on the rule from here.

Patch CVE-2023-36884

Microsoft has not yet released a patch for CVE-2023-36884. This section will be updated as more details are available.

Exploit CVE-2023-36884

More information about CVE-2023-36884 will be available in 30 days according to Google TAG disclosure policy. This section will be updated with possible adversary simulations and exploits for the vulnerability. The recommended sigma rule and Attack Surface Reduction rules can also be assessed with other vulnerabilities such as Follina which we covered previously.

References

• MSTI report on Storm-078 covering abuse of CVE-2023-36884 against NATO summit attendees
• CVE-2023-36884
• Detailed report by Blackberry on RomCom
• Sigma Rules from Nextron