Let's delve into a recent trending event, CVE-2023-36884, which revolves around Microsoft Office. We will discuss the attack method employed, the elements that contributed to its success, and potential mitigation strategies. It is worth noting that as of July 14, Microsoft has not yet released any security updates to address this vulnerability.
The Nato Summit was held in Vilnius, Lithuania, on July 11 and 12, 2023. The idea of Ukraine joining NATO was one of the discussions. The BlackBerry Threat Research and Intelligence team claims that to take advantage of the event, attackers build well worded Word documents with alluring messages and phish that to specific target people who were taking part in the event.
The identified lure documents impersonate the Ukrainian World Congress, a legitimate non-profit organisation. They include a fake letter expressing support for Ukraine's inclusion in NATO and an overview document for UWC's UkraineInNATO campaign. It is believed that the threat actors used spear-phishing techniques and a replica of the Ukrainian World Congress website to initiate the attack.
When the files are opened, a complex execution sequence is triggered. This involves retrieving intermediate payloads from a remote server and exploiting a patched vulnerability called Follina (CVE-2022-30190) in Microsoft's Support Diagnostic Tool (MSDT) to achieve remote code execution.
Technical Analysis
The threat actors behind the attack employed a technique known as typosquatting and clone the original website of Ukrainian World Congress, which is ukrainianworldcongress[.]org. They published this cloned website to a fake domain, ukrainianworldcongress[.]info, with the intention of deceiving users. Typosquatting involves creating domain names that are similar to legitimate ones, often through slight misspellings or variations,.
Sample malware can be downloaded from abuse.ch at https://bazaar.abuse.ch/sample/a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f/
After analysing the content of the Word document, it has been determined that the exploitation technique involves the use of RTF (Rich Text Format). Specifically, the file afchunk.rtf contains a hex-encoded URL, which is used to execute and leverage Office and Windows utilities to handle the HTML URL.
Here we can see the decoded version of hex, the content responsible for loading file0001.url has been revealed. This decoding process has provided further insights into the specific resource being accessed and its role in the attack chain
Infection chain
The infection chain associated with CVE-2023-36884 demonstrates a complex sequence. When a document file is opened, it executes afchunk.rtf, which is a hex-encoded and file000.url. The attacker utilizes this URL file to initiate the execution of an invalid SMB file, allowing them to steal NTLM credentials. Subsequently, the attacker leverages an HTML file to achieve remote code execution. It'sit's just an overview of the process happening.
Let's see the document in a controlled lab environment, such as Joesandbox, to observe its behavior and conduct process analysis. This approach will allow us to closely examine the document's actions, interactions, and potentially malicious activities, providing valuable insights into any vulnerabilities being exploited or suspicious behaviors present.
Based on the analysis graph, it indicates that the Word document opens an SMB path with the intention of stealing NTLM hashes. The results demonstrate multiple SMB paths being accessed during the execution of the document.
As of 18th July 2023, the servers responsible for delivering the payloads associated with CVE-2023-36884 are inactive. Consequently, obtaining further files involved in the infection chain is not possible, limiting the ability to provide a comprehensive technical analysis. For a more detailed and thorough understanding of the attack, it is recommended to refer the BlackBerry Research & Intelligence Team blog, available here.
Now that we understand how the attack exploits the vulnerability, let's conclude our blog with possible mitigation strategies. Since Microsoft has not released a security update yet, an interim solution suggested by the security community is:
- Disable child process spawning. However, it's important to note that this workaround may impact the functionality of Office products. Nevertheless, considering the severity of the issue, temporarily disabling child process spawning can be a prudent measure to mitigate the risk.
Mitigation
Here is the official Microsoft advisory to mitigate the vulnerability. Please note that this advisory recommends disabling the spawning of child processes in Office products, which may have an impact on certain Office functionalities.
- Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
- In current attack chains, the use of the Block all Office applications from creating child processes Attack Surface Reduction Rule will prevent the vulnerability from being exploited.
- Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.
Add the following application names to this registry key as values of type REG_DWORD with data 1.:
Credit & References
- https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
- https://app.any.run/tasks/88e60680-a6ae-412b-abca-c5dc58d675df/
- https://www.joesandbox.com/analysis/1271589/0/html
- https://twitter.com/r00tbsd/status/1679042071477338114
- https://www.joesandbox.com/analysis/1271589/0/html#deviceScreen