CISA Directs Government Agencies to Address Windows and Office Zero-Days

July 18, 2023

The Cybersecurity and Infrastructure Security Agency (CISA) has instructed federal agencies to address zero-day vulnerabilities impacting Windows and Office products. These vulnerabilities have been exploited by the Russian-based RomCom cybercriminal group in phishing attacks targeting NATO. The security flaws, collectively identified as CVE-2023-36884, were added to CISA's list of Known Exploited Vulnerabilities.

As per the binding operational directive (BOD 22-01) issued in November 2021, U.S. Federal Civilian Executive Branch Agencies (FCEB) are now obligated to safeguard Windows devices on their networks against attacks exploiting CVE-2023-36884. Federal agencies have until August 8th to secure their systems by implementing mitigation measures shared by Microsoft.

Microsoft has committed to providing patches through its monthly release process or an out-of-band security update. Until the patches are available, Microsoft has stated that customers using Defender for Office 365, Microsoft 365 Apps (Versions 2302 and later), and those who have enabled the 'Block all Office applications from creating child processes' Attack Surface Reduction Rule are protected against CVE-2023-36884 phishing attacks.

Users not using these protections can add specific process names to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1 to eliminate the attack vector. However, setting this registry key may also affect some functionalities of Microsoft Office apps.

CISA has advised private companies to prioritize patching all vulnerabilities added to its KEV catalog. 'These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,' CISA warned.

Microsoft confirmed during this month's Patch Tuesday that the CVE-2023-36884 zero-days were exploited in targeted attacks against government entities across North America and Europe. 'The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents,' Microsoft said.

The RomCom group, also known as Storm-0978 or DEV-0978, is a cybercriminal group based in Russia known for conducting ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations.

The group's latest campaign detected in June 2023 involved the abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom. The attackers used malicious Office documents that impersonated the Ukrainian World Congress organization to target organizations participating in the NATO Summit in Vilnius, deploying malware payloads that included the MagicSpell loader and the RomCom backdoor.

The RomCom cybercrime gang was previously linked to the Industrial Spy ransomware operation and has now switched to a new ransomware strain called Underground. In May 2022, MalwareHunterTeam found a link to the Cuba ransomware operation while investigating the email address and TOX ID in an Industrial Spy ransom note.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.