Blog Post July 12, 2023

New Microsoft Vulnerability Storm-078: What you Need to Know

Microsoft has issued a warning about an active phishing campaign that lures users into opening Microsoft Word attachments sent via email. Microsoft first identified the campaign in June 2023.

The attackers, a Russian cybercriminal group known as Storm-0978, are exploiting a zero-day vulnerability of CVE-2023-36884 by sending victims phishing emails that contain infected Microsoft Word files that deploy a backdoor, similar to RomCom Remote Access Trojan (RAT) malware. The malicious software is triggered upon downloading the files, allowing threat actors access to victims’ systems. 

According to Microsoft, Windows Defender for Office 365 users and those using Microsoft 365 Apps (Versions 2302 or later) are protected from this attack. However, Adlumin advises that organizations contact your MDR team to assist them with the mitigation steps Microsoft recommends.  

This remote code execution attack is among several others that hackers are currently exploiting in the wild since yesterday, including: 

  • Windows SmartScreen Security Feature Bypass (CVE-2023-32049)  
  • Windows MSHTML Platform Elevation of Privilege (CVE-2023-32046)  
  • Windows Error Reporting Service Elevation of Privilege (CVE-2023-36874)  
  • Microsoft Outlook Security Feature Bypass (CVE-2023-35311)  

According to reports, there are at least 132 new security vulnerabilities that Microsoft is working to address; many of them are in the “critical” and “severe” range of the CVSS.    

The Phishing Campaign  

Users should remain alert when receiving emails with messages related to the conflict in Ukraine, according to Microsoft Threat Intelligence.   

The phishing campaign has often been directed to defense and government entities in Europe and North America with lures to the “Ukrainian World Congress.” But Storm-0978 has also targeted financial companies for ransomware.   

The Adlumin Response   

Adlumin is monitoring to ensure that any necessary patches or workarounds are implemented as soon as they become available.  

In the meantime, we recommend that organizations remain vigilant, follow best practices to enhance your security posture, and exercise caution with email attachments and links. We also recommend the following: 

  • Educate and raise awareness among employees about the potential risks of opening unknown or suspicious files and encourage them to report suspicious activity.  
  •  Remain cautious when opening email attachments or clicking on links, especially if they are from unknown or suspicious sources.  
  • Invest in a security operation platform to continually search and alert for suspicious executions which may be a result of the exploitation of the vulnerability. 
  • Invest in a continuous vulnerability management product to regularly scan your environment to identify vulnerabilities and misconfigurations.