CISA to Gov’t Agencies: Mitigate a Flaw in Windows and Office

The U.S. government is giving federal agencies three weeks to mitigate a zero-day security flaw affecting Microsoft’s Windows and Office products that is being exploited by a Russian-linked threat group to attack defense and government groups in North America and Europe, including people attending the recent NATO Summit in Lithuania.

The Cybersecurity and Infrastructure Security Agency (CISA) is ordering agencies to put in place mitigation measures outlined by Microsoft by August 8 and is strongly recommending that private-sector organizations, including those running critical infrastructure, do the same.

AWS Builder Community Hub

CISA this week added the bug–tracked as CVE-2023-36884–to its ever-growing list of known exploited vulnerabilities, saying that “these types of vulnerabilities are frequent attack vectors for malicious cybersecurity actors and pose significant risks to the federal enterprise.”

The remote code execution flaw is being exploited by the RomCom group, which Microsoft referred to as Storm-0978, and is known for using phishing emails to drop a backdoor of the same name. The malware collects information from compromised system, such as the size of its RAM, the username and details about its network adapter.

RomCom also runs ransomware and extortion campaigns, with the actors deploying the Industrial Spy or Underground ransomware.

“Storm-0978 is known to target organizations with Trojanized versions of popular legitimate software, leading to the installation of RomCom,” Microsoft’s Threat Intelligence unit wrote in a blog post that accompanied last week’s Patch Tuesday rollout. “Storm-0978’s targeted operations have impacted government and military organizations primarily in Ukraine, as well as organizations in Europe and North America potentially involved in Ukrainian affairs.”

RomCom’s One-Two Punch

RomCom appears to work on two tracks. In its phishing operations, the group has used lures related to Ukraine’s government and political environment and targets government and military organizations mostly in Europe. In these cases, the cybercrime group distributes the backdoor and steals credentials that can be used in later attacks.

“The actor’s ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from espionage-focused targets,” Microsoft wrote. “Identified attacks have impacted the telecommunications and finance industries.”

Earlier this month, RomCom apparently turned its focus to the NATO Summit. According to BlackBerry, in the run-up to the summit, its research and intelligence team found two malicious Office documents sent from an IP address in Hungary to an organization that supports Ukraine.

One document took “advantage of this event and the request of Ukraine to join NATO,” the company wrote in a report, adding that “threat actors have created and distributed a malicious document impersonating the Ukrainian World Congress organization to presumably distribute to supporters of Ukraine.”

The other Office document was from the same threat group and purported to be a lobbying letter in support of Ukraine in its fight against Russia. Ukraine’s Computer Emergency Response Team also reported finding the first document.

Microsoft said the phishing campaign in late June contained a fake OneDrive loader that delivered the RomCom backdoor.

Microsoft Details Mitigation Steps

In its blog post, Microsoft outlines a number of ways to mitigate the risks associated with the vulnerability. Organizations using Redmond’s Defender or Office 365 and Microsoft 365 Apps versions 2303 and later are protected against exploitation attempts, and they can use the “Block all Office applications from creating child processes rule” to reduce the attack surface area and prevent exploitation.

For those without these capabilities, they can set the “Feature Block Cross Protocol File Navigation” registry key. While organizations don’t have to restart Windows to do this, Microsoft cautioned that the registry settings affect how some of these applications function. Given that, the IT titan is suggesting companies first test it out.

If they need to disable the mitigation step, they can delete the registry key or set it to “0.”

While the mitigation steps let organizations sidestep the threat, they don’t eliminate the problem. Microsoft said it would address the threat from the flaw by issuing a security update through its regular monthly process or sending out an out-of-cycle security update.

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 12 posts and counting.See all posts by jeffrey-burt