Russian group RomCom exploits Microsoft Office and Windows HTML RCE zero-day vulnerability CVE-2023-36884 to deploy malicious ransomware

A critical security threat has emerged as the Russian group RomCom, also known as Storm-0978, has been actively exploiting a Microsoft Office and Windows HTML Remote Code Execution (RCE) zero-day vulnerability, identified as CVE-2023-36884, to deploy malicious ransomware. This vulnerability allows attackers to execute remote code on a victim’s computer by crafting a specially designed Microsoft Office document, which, when opened, initiates a series of malicious activities.

Russian group RomCom and CVE-2023-36884 vulnerability details

CVE-2023-36884 is a RCE vulnerability in Microsoft Windows and Office that has been assigned a CVSSv3 score of 8.3. It has been exploited in the wild as a zero-day vulnerability, with Microsoft observing active in-the-wild exploitation using specially crafted Microsoft Office documents. The vulnerability requires user interaction, as the victim must open the malicious document for the exploit to succeed.

RomCom exploits vulnerability

RomCom has been involved in targeted attacks against defense and government organizations in Europe and North America. These attacks have employed sophisticated techniques, including weaponizing Microsoft Word documents to pose as information regarding the Ukrainian World Congress. The exploitation campaign has been linked to the upcoming NATO Summit, with guests set to participate in the summit being targeted.

Mitigation and protection

Microsoft has provided mitigation guidance to help protect users from this vulnerability. This includes blocking Office applications from creating child processes or setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Additionally, Microsoft Defender for Office 365 protects users from attachments designed to exploit CVE-2023-36884.

Impact and recommendations

The exploitation of CVE-2023-36884 by RomCom poses a significant threat to organizations and individuals using Microsoft Office and Windows products. It is crucial for users to remain vigilant and avoid opening suspicious documents. Organizations should implement the recommended mitigations and ensure their security software is up-to-date to protect against these targeted attacks.

This incident highlights the ongoing threat of zero-day vulnerabilities and the importance of robust security measures. Users and organizations must stay informed and take proactive steps to mitigate these risks and protect their systems and data.