Microsoft Threat Intelligece has identified threat actors abusing a recently disclosed vulnerability, CVE-2023-36884, in phishing campaigns containing malicious Word documents against government entities in Europe and North America. CVE-2023-36884 was disclosed along with three other vulnerabilities by Google TAG, no patch was released for the vulnerability and only mitigations are available.
Threat Actor: Storm-0978 (RomCom)
Storm-0978, also known as RomCom is a Russian threat actor known for ransomware, espionage operations, and targeted credential-gathering campaigns. Their latest campaign was last detected in June 2023 involving abuse of CVE-2023-36884 to deliver backdoors over phishing emails according to Microsoft Threat Intelligence.
CVE-2023-36884 can be mitigated via Attack Surface Reduction Rules or by performing registry key modifications to disable certain features in Windows. It is recommended to apply the mitigations as no patches are available.
Attack Surface Reduction Rules
Enable the following ASR Rules in Microsoft Defender.
Registry Key Modification
As recommended by Microsoft, "Organizations who cannot take advantage of these protections can set the
FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. Add the following application names to this registry key as values of type REG_DWORD with data 1"
Michael Haag has created a Powershell script to perform the registry key modification. You can find it on GitHub.
UPDATE (17/07/2023): The NextronSystems team has released sigma rules to block various techniques utilized by RomCom and possibel exploitation of CVE-2023-36884.
Based on the recommended ASR rules, the following Sigma rule can detect an attacker exploiting CVE-2023-36884 and other Office-related TTPs. Alerts can be generated if an Office application is spawning a suspicious child process.
1title: Office Applications Calling Suspicious Child Process
4description: Detects various office applications calling a suspicious child process to possibly detect CVE-2023-36884
5author: Aarush Ahuja
9 - attack.execution
10 - attack.t1137
11 - attack.t1218
13 category: process_creation
14 product: windows
18 - '\Excel.exe'
19 - '\Graph.exe'
20 - '\MSAccess.exe'
21 - '\MSPub.exe'
22 - '\PowerPoint.exe'
23 - '\Visio.exe'
24 - '\WinProj.exe'
25 - '\WinWord.exe'
26 - '\Wordpad.exe'
28 # Add more suspicious LOLBins
29 - '\powershell.exe'
30 - '\pwsh.exe'
31 - '\cmd.exe'
32 - '\mshta.exe'
33 - '\cscript.exe'
34 - '\wscript.exe'
35 - '\taskkill.exe'
36 - '\regsvr32.exe'
37 - '\rundll32.exe'
38 - '\csc.exe'
39 - '\calc.exe'
40 condition: selection
42 - Unknown
The above rule is based on the rule from here.
Microsoft has not yet released a patch for CVE-2023-36884. This section will be updated as more details are available.
More information about CVE-2023-36884 will be available in 30 days according to Google TAG disclosure policy. This section will be updated with possible adversary simulations and exploits for the vulnerability. The recommended sigma rule and Attack Surface Reduction rules can also be assessed with other vulnerabilities such as Follina which we covered previously.