BlackBerry Shields Customers From Microsoft Office and Windows HTML Remote Code Execution Vulnerability
The threat actors behind the RomCom RAT (remote access Trojan) are stepping up their use of a Microsoft vulnerability to target Western government entities and individuals involved in supporting Ukraine.
In this latest string of nefarious activities, the Russia-backed RomCom threat group (also referred to as Storm-0978 by other vendors) exploited a known Microsoft® Office and Windows® HTML remote code execution (RCE) vulnerability, CVE-2023-36884. Microsoft confirmed details of this campaign, originally discovered by the BlackBerry Threat Research and Intelligence team, that used spear-phishing lures to target individuals in defense and government planning to attend a recent NATO Summit in Vilnius.
In response to the attacks, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD 22-01), which requires U.S. federal civilian executive branch (FCEB) agencies to secure Windows devices on their networks against CVE-2023-36884 exploits by Aug. 8, 2023. Currently, there is no patch available from Microsoft to mitigate against the attack. Microsoft has stated it will take appropriate mitigation actions, which may include providing a security update through their monthly release process or providing an out-of-cycle security update.
When the vulnerability is exploited, an attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution on the victim’s machine once the document is opened. This method is the gateway to many malicious activities, including data exfiltration, credential gathering, and ransoming or stealing information for adversarial intelligence and cyber-espionage purposes.
RomCom Leverages Windows Vulnerability
BlackBerry discovered RomCom’s phishing campaign the week before the NATO Summit and immediately shared this intelligence — including IoCs (indicators of compromise) — with relevant government agencies several days before releasing a public report on July 8. The vulnerability announcement was made by Microsoft three days later, on July 11. Based on BlackBerry's cyberthreat telemetry, network data analysis, and the full set of cyber weapons the team collected, it appears that RomCom ran its first test drills on June 22, and again a few days before the malicious command-and-control (C2) used in this campaign was registered and went live.
As the team dug deeper into this campaign, the BlackBerry researchers found two malicious documents submitted from an IP address in Hungary, sent as lures to an organization supporting Ukraine abroad, and a document targeting NATO Summit guests who may also be providing support to Ukraine. The infection technique used in the document is RTF exploitation, with outbound connections initiated from the victim’s machine once the target opens the document.
The spear-phishing emails encouraged their intended victims to click on a link that sent them to a specially crafted replica of the Ukrainian World Congress website, leveraging CVE-2023-36884 to deliver a malicious payload that allows for remote code execution. The fake Ukrainian World Congress site was hosted on a URL that looked almost identical to the real URL: The legitimate domain is ukrainianworldcongress.org, whereas the malicious domain’s URL was ukrainianworldcongress[.]info. This is a technique known as typosquatting, where the threat actor relies on the victim not noticing that the link they are clicking on is slightly different from the official URL of the site they intend to visit.
BlackBerry Protects Customers from Microsoft Office and Windows HTML Remote Code Execution Vulnerability
BlackBerry has verified that its cybersecurity software, powered by Cylance AI, protects against these vulnerabilities. CylancePROTECT® convicts payloads that are known to be associated with these attacks. As an added precaution, all known hashes have been added to BlackBerry's Global Restricted List (GRL) to provide defense-in-depth.
BlackBerry also authored a custom CylanceOPTICS® rule to assist with the detection of attacks attempting to exploit this vulnerability. The rule is available for BlackBerry customers to download through myAccount, by accessing the Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884) Optics Rule Knowledge Base (KB) article (000111707).
In addition, BlackBerry recommends that customers concerned about the vulnerability follow the recommendations provided by the Microsoft Security Response Center in its blog post, titled 'Office and Windows HTML Remote Code Execution Vulnerability,' to reduce the risk to any potentially affected systems.
And finally, it should go without saying, but the simple way to avoid attacks launched via spear-phishing and typosquatting techniques is to never click any links sent in emails, even if the email appears to come from a legitimate source. Always type the website address you want to visit directly into your browser, or bookmark the official link. Carefully review links typed by hand to avoid typos that may lead to compromised or fake websites (“.cm” instead of “.com” is the most regularly exploited typo, according to this alert issued by KrebsOnSecurity). Organizations should teach this easy tip to all employees as part of general security hygiene.
If you or your organization may have been compromised by any of the malicious code or activities referenced in this blog, please contact the BlackBerry Incident Response Team. The team can work with organizations of any size and across any vertical, to evaluate and enhance your endpoint security posture and proactively maintain the security, integrity, and resilience of your network infrastructure.
For emergency assistance, please email us at DLIR@blackberry.com, or use the hand-raiser form.
For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.