Microsoft users on high alert over dangerous RCE zero-day

Microsoft has disclosed a probably severe distant code execution (RCE) zero-day underneath energetic exploitation – by a bunch with alleged hyperlinks to the Russian intelligence providers – amongst greater than 100 different vulnerabilities in its July Patch Tuesday replace, however the firm has not but issued an precise patch for it.

Although not deemed a crucial vulnerability, the flaw’s use by a bunch Microsoft is monitoring as Storm-0978, often known as RomCom after its backdoor malware, seems to have prompted Redmond’s safety groups to take pre-emptive motion.

The vulnerability in query is tracked as CVE-2023-36884. It impacts a complete of 41 merchandise together with a number of variations of Windows, Windows Server and Office, and could be efficiently exploited utilizing a specifically crafted Word doc that may enable an unauthorised actor to attain RCE capabilities within the context of their sufferer, if the sufferer could be satisfied to open the malicious file.

Microsoft stated: “Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

Storm-0978 is thought to have carried out opportunistic, financially-motivated ransomware assaults utilizing the Underground locker, and extortion-only operations, in addition to focused credential-gathering operations, suggesting it operates in help of Russian intelligence targets.

It has hit a number of authorities and army targets, with many in Ukraine, in addition to organisations throughout Europe and North America. Its present lures are largely themed round Ukrainian political affairs, most notably Kyiv’s makes an attempt to affix the Nato alliance.

Microsoft has issued an inventory of mitigations for safety groups to minimize the potential influence of Storm-0978. For CVE-2023-36884 particularly, it’s recommending using Block all Office functions from creating youngster processes assault floor discount rule, or if this will’t be achieved, setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to keep away from exploitation, though doing so could cause some performance points. Note that users of Microsoft Defender for Office 365 are actually protected in opposition to malicious attachments exploiting the bug.

Rapid7 head of vulnerability and threat administration Adam Barnett stated many defenders could be understandably unsettled by the shortage of an instantaneous patch.

“While it’s possible that a patch will be issued as part of next month’s Patch Tuesday, Microsoft Office is deployed just about everywhere, and this threat actor is making waves; admins should be ready for an out-of-cycle security update for CVE-2023-26884,” stated Barnett.

The different zero-days within the July replace come amid a complete of 130 completely different vulnerabilities addressed this month, a considerably increased quantity than of late, however in response to Dustin Childs of the Zero Day Initiative, not essentially out of the atypical given the shenanigans prone to go on on the annual Black Hat USA convention, now lower than a month away.

The zero-days are, in CVE quantity order:

• CVE-2023-32046, an elevation of privilege (EoP) vulnerability in Windows MSHTML Platform;
• CVE-2023-32049, a safety function bypass (SFB) vulnerability in Windows SmartScreen;
• CVE-2023-35311, an SFB vulnerability in Microsoft Outlook;
• CVE-2023-36874, an EoP vulnerability in Windows Error Reporting Service.

Microsoft additionally issued an advisory, however no particular CVE designation, for an noticed marketing campaign of drivers licensed by its Windows Hardware Developer Programme (MWHDP) getting used maliciously in post-exploitation exercise.

This marketing campaign – which noticed attackers achieve admin privileges on compromised methods earlier than utilizing the drivers – could also be learn as a sixth zero-day, relying on whose definition of the time period you subscribe to.

Microsoft has been investigating this subject since being knowledgeable of it by Sophos researchers in February, with different reviews from Trend Micro and Cisco Talos additionally helping.

It discovered a number of developer accounts for the Microsoft Partner Centre (MPC) had been submitting malicious drivers to acquire a Microsoft signature. All these developer accounts and accomplice vendor accounts concerned have been suspended.

Updates have been launched that untrust drivers and driver singing certificates for the affected information, and blocking detections have been added to Microsoft Defender to raised shield clients.

Christopher Budd Sophos X-Ops, director of menace analysis, stated: “Since October of final yr, we’ve observed a regarding rise in menace actors benefiting from malicious signed drivers to hold out varied cyber assaults, together with ransomware. We believed that attackers would proceed to leverage this assault vector, and that has certainly been the case.

“Back in December 2022, we discovered seven drivers that have been signed with authentic Microsoft WHCP certificates, and now, after a months lengthy collaboration with Microsoft, we’re drawing consideration to 100 extra of those malicious signed drivers with WHCP certificates.

“Because drivers often communicate with the ‘core’ of the operating system and load before security software, when they are abused, they can be particularly effective at disabling security protections – especially when signed by a trusted authority. Many of the malicious drivers we’ve discovered were specifically designed to target and take out EDR [Endpoint Detection and Response] products, leaving the affected systems vulnerable to a range of malicious activity,” stated Budd.

“Obtaining a signature for a malicious driver is difficult, so this technique is primarily used by advanced threat actors in targeted attacks. What’s more, these particular drivers aren’t vendor specific; they’re targeting a wide range of EDR software. That’s why the broader security community needs to be aware, so that they can implement additional protections where necessary. It’s important that companies implement the patches Microsoft released today,” he stated.

Read extra on Application safety and coding necessities

• No zero-days for June Patch Tuesday, however lots to chew over

  

  By: Alex Scroxton

• Secure Boot vulnerability causes Patch Tuesday headache for admins

  

  By: Alex Scroxton

• Thousands in danger from crucial RCE bug in legacy MS service

  

  By: Alex Scroxton

• April Patch Tuesday fixes zero-day used to ship ransomware

  

  By: Alex Scroxton