Microsoft Details Alarming Zero-Day Attacks Targeting Office, Serves Security Patches

microsoft security patches actively exploited office vulnerability targeting nato and europe
Microsoft’s traditional Patch Tuesday has arrived, bringing with it a slew of security fixes for 130 vulnerabilities and two published advisories. This update comes at the perfect time, as threat actors have been exploiting some of these vulnerabilities for espionage against defense and government organizations in Europe and North America.

Among the numerous fixes that Microsoft has pushed for Patch Tuesday lies CVE-2023-36884, an “Office and Windows HTML Remote Code Execution Vulnerability.” On the Common Vulnerability Scoring System (CVSS) scale out of 10, this vulnerability is rated an 8.3, making it quite severe. This makes sense as “An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim.” The only requirement for this is that the attacker must get the victim to open the malicious Office document in the first place. However, this seems to have been happening in the wild.

letter sample microsoft security patches actively exploited office vulnerability targeting nato and europe
A sample of Storm-0978's phishing documents.

In a separate blog post, Microsoft reported that it identified a phishing campaign by a threat actor group called Storm-0978, otherwise known as DEV-0978 or RomCom. This Russian-based cybercriminal group is traditionally known to execute ransomware and extortion operations alongside credential gathering for external intelligence operations. The group is alternatively called RomCom for the backdoor program installed on victims’ devices that goes by the same name.

This recently discovered campaign from the group reportedly revolved around CVE-2023-36884 to deliver a backdoor like RomCom. The threat actors would send emails and malicious documents relating to the Ukrainian World Congress to target primarily European military and government bodies to deliver a payload. However, this is not the first time that the group has been associated with such efforts. Recently, it was found that the group was targeting NATO Summit guests potentially providing aid to Ukraine, as researchers at Blackberry found. However, these campaigns were primarily associated with the Follina vulnerability (CVE-2022-30190) from last year.

If you think you might be at risk of being exploited, Microsoft Defender for Office 365 should protect you from attachments meant to exploit the vulnerability. Alternatively, administrators can also block all Office applications from creating child processes or set the “FEATURE_BLOCK_CROSS_PROTOCOL_-FILE_NAVIGATION” registry key to remain secure. Of course, you can also update your system with the latest Patch Tuesday update, which reportedly fixes the problem and makes life a little easier.