Last week, Microsoft patched two zero-day vulnerabilities (CVE-2023-36884 and CVE-2023-38180). These vulnerabilities are part of Microsoft’s August 2023 Patch Tuesday, which also includes security updates for 87 vulnerabilities. Both of these vulnerabilities were exploited in cyberattacks, and one of them was publicly disclosed prior to the patch release.
CVE-2023-36884 is a remote code execution vulnerability that was previously patched. The vulnerability allowed attackers to craft Microsoft Office documents in a way that circumvented the Mark of the Web (MoTW) security feature. This allowed the files to be opened without triggering a security warning, ultimately enabling remote code execution. To counteract a previously mitigated but actively exploited CVE-2023-36884 flaw, Microsoft has introduced an Office Defense in Depth update.
The Russian threat actor Storm-0978/RomCom is responsible for actively exploiting this vulnerability. This group, previously recognized for deploying the Industrial Spy ransomware in their attacks, has now rebranded as ‘Underground’ and extorts victims through their ransomware operations.
Microsoft also addressed CVE-2023-38180 which has been actively exploited and could potentially lead to Distributed Denial of Service (DDoS) attacks on .NET applications and Visual Studio. However, Microsoft has not provided further details regarding the specific exploitation methods employed or revealed the identity of the discoverer of the vulnerability.
Cybersecurity engineer Nikolas Cemerikic at Immersive Labs stated that while an attacker would need to be within the same network as the target system, the vulnerability doesn’t require the attacker to have acquired user privileges on the target system. Avertium suggests that all organizations follow the appropriate security recommendations and promptly apply patches.
- Microsoft suggests the installation of both the Office updates detailed in their advisory and the Windows updates released in August 2023. The last update for the advisory was August 9, 2023.
- Enable cloud-delivered protection in Microsoft Defender Antivirus or your antivirus product’s equivalent to safeguard against rapidly evolving attacker tools and techniques. Cloud-based machine learning defenses effectively block most new and unknown variants.
- Enable block mode for EDR in Microsoft Defender for Endpoint to proactively block malicious artifacts, even if your non-Microsoft antivirus fails to detect the threat or when Microsoft Defender Antivirus is in passive mode. EDR in block mode operates discreetly to remediate malicious artifacts identified after a breach.
- Microsoft 365 Defender customers have the option to enable attack surface reduction rules, blocking common attack techniques employed in ransomware attacks.
- Block all Office applications from creating child processes.
- Although Microsoft has not provided any details for CVE-2023-38180, they have released an update for the vulnerability which you can find in their advisory
If you have any questions about this vulnerability or your information security needs, please contact us at 774-204-0700.