Microsoft revealed a zero-day vulnerability in Office and Windows products is being actively exploited by a financially and politically motivated cybercriminal group based in Russia.
In a blog post on Tuesday, Microsoft attributed an ongoing phishing campaign detected in June to a group it tracks as Storm-0978. The attacks leverage an unpatched Office and Windows HTML remote code execution vulnerability, tracked as CVE-2023-36884, to target defense and government entities located in Europe and North America.
Microsoft said the campaign uses lures related to the Ukrainian World Congress and NATO to trick organizations into opening malicious attachments in Word documents, typically delivered through phishing emails. In addition to the phishing campaign, Storm-0978 was also observed engaging in ransomware activity that Microsoft said was "entirely separate from espionage-focused targets."
"Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as target credential-gathering campaigns likely in support of intelligence operations," Microsoft wrote in the blog post.
The blog post included tactics; techniques and procedures; and a timeline of confirmed Storm-0978 activity, which Microsoft first identified in December of last year. During the June phishing campaign, Microsoft observed the use of a fake OneDrive loader to deliver the backdoor. The blog post emphasized how Storm-0978 uses Trojanized versions of legitimate software, such as Adobe products, Solarwinds Orion and KeePass before installing a backdoor malware known as RomCom.
"Additionally, based on attributed phishing activity, Storm-0978 has acquired exploits targeting zero-day vulnerabilities," the blog said.
One unusual aspect of the campaign involved the threat group's ransomware activity. Microsoft said it discovered "concurrent, separate Storm-0978 ransomware activity against an unrelated target using the same initial payloads."
The blog emphasized how Storm-0978 exhibits distinct espionage and financial motivations. For example, espionage targets included European and North American-based organizations that are potentially involved in Ukraine affairs, while ransomware targets were in the telecommunications and finance sectors.
During the ransomware attacks, threat actors used a ransomware variant called Underground, which Microsoft linked to Industrial Spy ransomware that was first observed in the wild in May 2022. To access credentials, Storm-0978 dumped password hashes from the Security Account Manager using the Windows registry.
Microsoft said its Defender for Office 365 product detected the initial use of the exploit targeting CVE-2023-36884. To defend against Storm 0978 activity, Microsoft recommended turning on cloud-delivered protection in Microsoft Defender Antivirus, running EDR in block mode, and enabling investigating and remediation in full automated mode.
In a separate vulnerability guide for CVE-2023-36884, Microsoft said once its investigation into the reports of active exploitation is complete, it may provide a security update. TechTarget Editorial contacted Microsoft for additional information but was directed to the company's advisory and blog post.
Adam Barnett, lead software engineer at Rapid7, addressed the zero-day vulnerability in a blog post on Tuesday, highlighting the 130 total vulnerabilities Microsoft announced on Patch Tuesday this week. Out of the 130, five were zero-day flaws.
"Surprisingly, there is no patch yet for one of the five zero-day vulnerabilities. Defenders who are understandably unsettled by the lack of immediate patches for CVE-2023-36884 should consult the multiple mitigation options on the advisory. Microsoft claims that assets with Defenders for Office 365 are already protected," Barnett wrote in the blog.
Barnett warned administrators to prepare for "an out-cycle security update for CVE-2023-26884."
Potential RomCom rebrand
Prior to Microsoft's report, the BlackBerry Threat Research and Intelligence Team also observed a threat actor associated with RomCom impersonating the Ukrainian World Congress to target NATO summit guests that may support Ukraine. The phishing attacks observed on July 4, which BlackBerry detailed in a blog post last week, also leveraged Microsoft Word documents. However, researchers believe the threat actors campaign drills began on June 22.
Based on geopolitical context, domain registration and network infrastructure information, BlackBerry assessed with medium to high confidence that the activity was either a RomCom-rebranded operation or that one or more members of the RomCom threat group may be behind the new campaign in support of a new threat group.
BlackBerry told TechTarget Editorial it has not observed RomCom involved in ransomware activity and said the threat actor's country of origin is unclear. "However, given the nature of the language we've observed in its social engineering as well as the context involved (the war in Ukraine and events around Western countries supporting Ukraine), we believe the threat actor is likely a supporter of Russia's invasion of Ukraine," BlackBerry said.
Arielle Waldman is a Boston-based reporter covering enterprise security news.