Microsoft on Tuesday released an update to address the total of 132 new security flaws includes its software, including six zero-day flaws it says are actively exploited in the wild.
Of the 132 vulnerabilities, nine were rated Critical, 122 were rated Important in severity, and one was given a “None” severity rating. This is in addition eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of last month.
The list of issues that have been actively exploited are as follows –
- CVE-2023-32046 (CVSS Score: 7.8) – Windows MSHTML Platform Privilege Vulnerability Upgrade
- CVE-2023-32049 (CVSS Score: 8.8) – Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2023-35311 (CVSS Score: 8.8) – Microsoft Outlook Security Feature Bypass Vulnerability
- CVE-2023-36874 (CVSS score: 7.8) – Windows Error Reporting Service Elevation of Privilege Vulnerability
- CVE-2023-36884 (CVSS Score: 8.3) – Office and Windows HTML Remote Code Execution Vulnerability (Also publicly known at release)
- ADV230001 – Malicious use of Microsoft signed drivers for post-exploit activity (no CVE defined)
The Windows maker says it is aware of targeted attacks on defense and government entities in Europe and North America trying to exploit CVE-2023-36884 by using the lure of specially crafted Microsoft Office documents related to the World Congress of Ukraine, echoing recent findings from BlackBerry.
“An attacker can create specially crafted Microsoft Office documents that allow them to perform remote code execution in the victim’s context,” Microsoft said. “However, the attacker must convince the victim to open the malicious file.”
The company has flagged an infiltration campaign against a Russian cyber criminal group it is tracking as Storm-0978, also known as RomCom, Tropical Scorpius, UNC2596, and Void Rabisu.
“The actor also deployed the Underground ransomware, which is closely related to the Industrial Spy ransomware which was first observed in the wild in May 2022,” the Microsoft Threat Intelligence team explained. “The actor’s most recent campaign detected in June 2023 involved misusing CVE-2023-36884 to present a RomCom-like backdoor.”
A recent phishing attack staged by the actor has entailed using a trojan version of legitimate software hosted on a similar website to spread a remote access trojan called RomCom RAT against various Ukrainian and pro-Ukrainian targets in Eastern Europe and North America .
While RomCom was first noted as a group associated with the Cuban ransomware, it has since been associated with other types of ransomware such as Industrial Spy as well as a new variant called Underground in July 2023, which shows significant source code overlap with Industrial Spy.
Microsoft said it would take “appropriate actions to help protect our customers” in the form of out-of-band security updates or through its monthly release process. In the absence of a patch for CVE-2023-36884, the company urges users to use “Block all Office applications from creating child processes“Reduction surface of attack (ASR) rule.
Redmond further said it revoked the code signing certificate used to sign and install malicious kernel-mode drivers on compromised systems by exploiting a Windows policy loophole to change the driver signing date before July 29, 2015, by leveraging open source tools such as HookSignTool and FuckCertVerifyTimeValidity.
The findings show that the use of rogue kernel-mode drivers is gaining traction among threat actors because they operate at the highest privilege level on Windows, making it possible to build persistence for a long time while simultaneously disrupting the functioning of security software. to avoid detection.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
It is currently unclear how the other weaknesses were exploited and how widespread the attack was. But given the active abuse, it’s advised that users move quickly to apply updates to mitigate potential threats.
Software Patches from Other Vendors
Apart from Microsoft, security updates have also been released by other vendors over the past few weeks to fix several vulnerabilities, including —