Of the 132 vulnerabilities, nine are assigned a Critical rating, 122 are assigned a Severe rating in Severity, and one is assigned a severity rating of “none”. This is in addition to the eight flaws that the tech giant patched in its Chromium-based Edge browser late last month.
The list of issues that come under active exploitation is as follows –
- CVE-2023-32046 (CVSS Score: 7.8) – Windows MSHTML Platform Elevation of Privilege Vulnerability
- CVE-2023-32049 (CVSS Score: 8.8) – Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2023-35311 (CVSS Score: 8.8) – Microsoft Outlook Security Feature Bypass Vulnerability
- CVE-2023-36874 (CVSS Score: 7.8) – Windows Error Reporting Service elevation of privilege vulnerability
- CVE-2023-36884 (CVSS score: 8.3) – Office and Windows HTML remote code execution vulnerability (publicly known at time of release)
- ADV230001 – Malicious use of Microsoft-signed drivers for post-exploit activity (no CVE assigned)
The Windows maker said it is aware of targeted attacks against defense and government entities in Europe and North America using specially crafted Microsoft Office document lures related to the Ukrainian World Congress exploit CVE-2023-36884. Let’s try, which matches the latest findings of BlackBerry.
“An attacker can create a specially crafted Microsoft Office document that enables them to perform remote code execution in the victim’s context,” Microsoft said. “However, an attacker would have to persuade the victim to open the malicious file.”
The company attributed the intrusion campaign to a Russian cybercriminal group it tracks to Storm-0978, also known as Romcom, Tropical Scorpius, UNC2596, and Void Rabisu.
“The actor also deploys Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022,” the Microsoft Threat Intelligence team reported. “The actor’s latest campaign, discovered in June 2023, was abusing CVE-2023-36884 to provide backdoors similar to romcoms.”
Recent phishing attacks by the actor include the use of trojanized versions of legitimate software hosted on the same websites to deploy a remote access trojan called the Romcom RAT against various Ukrainian and pro-Ukraine targets in Eastern Europe and North America.
While Romcom was first seen as a group linked to the Cuban ransomware, it has since been linked to other ransomware strains such as Industrial Spy, as well as a new variant called Underground, as of July 2023, which is affiliated with Industry Spy. Displays significant source code overlap.
Microsoft said it intends to take “appropriate action to help protect our customers” in the form of out-of-band security updates or through its monthly release process. In the absence of a patch for CVE-2023-36884, the company is urging users to use the “Block all Office applications from creating child processes” Attack Surface Reduction (ASR) rule.
Redmond further said that it signed and installed malicious kernel-mode drivers on the compromised systems using open-source tools, exploiting a Windows policy loophole to change the signing date of the drivers past July 29, 2015. Revoked the code-signing certificate used for HookSignTools and FakeCertifyTimeValidity.
The findings suggest that the use of rogue kernel-mode drivers is on the rise among threat actors because they operate at the highest privilege level on Windows, making it possible to establish persistence for extended periods while interfering with the functioning of security software.
It is unclear at this time how other vulnerabilities are being exploited and how widespread those attacks are. But given the active abuse, it is recommended that users move quickly to apply updates to mitigate potential threats.
