A phishing campaign carried out by the threat actor known as Storm-0978 has been detected by Microsoft. The campaign specifically targeted defense and government entities in Europe and North America. It exploited the CVE-2023-36884 vulnerability through Word documents, enabling a remote code execution vulnerability. Notably, the attackers used lures associated with the Ukrainian World Congress before the vulnerability was disclosed to Microsoft.
To safeguard against the actively exploited remote code execution (RCE) Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884) affecting Microsoft Windows and Office products, you should apply the CIS Microsoft Windows Benchmarks, which offer a set of security best practices. At the time of writing this, there is no available patch for CVE-2023-36884.
While waiting for an official fix, you can take proactive steps to protect your systems. CIS has provided guidance on implementing any of the following CIS Microsoft Windows Workstation/Server Benchmarks: Microsoft Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022.
Storm-0978 employs trojanized versions of widely-used and genuine software, facilitating the installation of RomCom, a malware attributed to Storm-0978 by Microsoft. Notable instances of trojanized software encompass various Adobe products, Advanced IP Scanner, Solarwinds Network Performance Monitor, Solarwinds Orion, KeePass, and Signal. To distribute the trojanized installers, Storm-0978 frequently registers malicious domains that imitate the legitimate software sources.
Among the known ransomware intrusions, one particularly notable threat is Storm-0978. This malware has managed to gain access to credentials by extracting password hashes from the Security Account Manager (SAM) through the Windows registry. To accomplish this, the attackers need to obtain SYSTEM-level privileges.
By following CIS benchmarks, you can effectively mitigate the vulnerabilities associated with CVE-2023-36884 and reduce your attack surface. Microsoft has also acknowledged the value of these CIS benchmarks in their security advisory, as they align with the recommendations provided.
For example, the CIS Microsoft Windows 10 Benchmark, which provides specific security recommendations to address the vulnerabilities:
- 220.127.116.11.1.1 (L1) Ensure ‘Configure Attack Surface Reduction rules’ is set to ‘Enabled’
- 18.104.22.168.1.2 (L1) Ensure ‘Configure Attack Surface Reduction rules: Set the state for each ASR rule’ is configured
Applying server hardening measures is crucial to protect your systems from the severe consequences of the RCE vulnerability CVE-2023-36884. By implementing these security measures, you can significantly reduce the risk of exploitation and unauthorized access to your servers. It not only safeguards sensitive data and resources but also ensures the stability and continuity of your operations. Take action now to secure your servers against potential threats and stay one step ahead in maintaining a robust and secure computing environment. Your proactive efforts in server hardening can be the key to thwarting malicious attacks and preserving the integrity of your organization’s infrastructure. Don’t wait for a breach to happen and safeguard your digital assets.