Exploit of CVE-2023-36884 was used in targeted attacks against organizations in Europe and North America.

A zero-day vulnerability (CVE-2023-36884) affecting Microsoft Windows and Office products is being exploited by attackers in the wild. To date, the exploit has been used in highly targeted attacks against organizations in the government and defense sectors in Europe and North America.

The vulnerability was disclosed yesterday (July 11) by Microsoft, which said that an attacker could create a specially crafted Microsoft Office document that enables remote code execution on the target’s computer. In order for the exploit to succeed, the victim needs to open the malicious file. No patch has been released yet for the vulnerability. However, Microsoft is still investigating the issue and said a patch may be rolled out in its monthly release process or in an out-of-cycle security update. The company provided some mitigation guidance in its advisory.

How is the vulnerability being exploited?

According to a separate blog published by Microsoft, the vulnerability was being exploited by an actor it calls Storm-0978 (aka RomCom) in targeted attacks against defense and government organizations in Europe and North America. The exploit was contained in Microsoft Word documents that masqueraded as information about the Ukrainian World Congress.

The attacks were earlier documented by BlackBerry on July 8, which noted that the targets were guests for the upcoming NATO Summit. At the time, the use of the zero-day in the attacks was unknown.

Who is Storm-0978/RomCom?

Storm-0978/RomCom is a Russia-linked threat actor that has been involved in both espionage and cyber-crime activity. The group acquired its name through its use of the RomCom remote access Trojan (RAT).

There are strong ties between it and a group Symantec calls Hawker, which is the developer of the Cuba ransomware family. The U.S Cybersecurity and Infrastructure Security Agency (CISA) has said that there are possibly links between Hawker, RomCom, and the Industrial Spy ransomware actors. A report published last year by Palo Alto also detailed how RomCom (whom it calls Tropical Scorpius) used the RomCom RAT to deliver the Cuba ransomware payload to victims.

While it is clear that there are strong ties between Storm-0978/RomCom and Hawker, it is unclear yet whether the two actors are one and the same.

How severe is this vulnerability?

Until a patch is released, organizations should adopt all possible mitigation strategies. Although the vulnerability has, to date, been exploited in targeted attacks, news of its existence will doubtlessly lead other attackers to attempt to replicate the exploit.
Protection/Mitigation

Email-based

Coverage is in place for Symantec’s email security products

File-based

Trojan.Mdropper
WS.Malware.1

Network-based

Web Attack: Webpulse Bad Reputation Domain Request

Web-based

Observed domains/IPs are covered under security categories in all WebPulse enabled products

Symantec is continuing to investigate further possible protection based on available information, and additional signatures may be introduced as analysis progresses.