The team has been investigating the recently published Microsoft Office and Windows HTML RCE vulnerability (CVE-2023-36884). The hunting queries in our Github repository were updated according to exploitations observed in the wild. Customers with outdated Office versions are advised to update the software to block exploitation. If not possible, it is highly recommended to apply the mitigation using the registry key as explained in the team's previous status update. Note that the previous update included broken links that are now fixed and accessible for your use. In addition to the provided hunting queries, the team performed IOC sweeps on Axon customers' data for the following IOCs (reference- https://twitter.com/BertJanCyber/status/1679231301671432195?s=20): 74[.]50[.]94[.]156 104[.]234[.]239[.]26 94[.]232[.]40[.]34 66[.]23[.]226[.]102 For detailed information and instructions on patching, please refer to the official Microsoft update guide available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884.
The team will notify you of any actionable new details. If you have any questions, please do not hesitate to reach out to us.
Yours, Team Axon
Posted Jul 16, 2023 - 18:09 UTC
Investigating
Team Axon has been investigating CVE-2023-36884, a zero-day remote code execution vulnerability published in the latest Patch Tuesday (July 11th, 2023) affecting Windows and Office products. A patch is not currently available.
Details of the CVE-2023-36884 Vulnerability: CVE-2023-36884 is a zero-day Office and Windows HTML Remote Code Execution Vulnerability rated “Important” by Microsoft, reported being exploited since June 2023. By creating a specially crafted Microsoft Office document, an attacker could perform remote code execution in the context of the victim. Exploitation requires the attacker to trick the user into opening the specially crafted document. This CVE vulnerability is associated with a Storm-0978 campaign (https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/), targeting defense and government entities in Europe and North America.
Mitigation Recommendations: 1. It is recommended to update Microsoft 365 Apps to versions 2302 and later, which are protected from exploitation of the vulnerability via Office. 2. Microsoft recommends blocking all Office from creating child processes, however, the impact of this action on the organization’s needs should be validated. 3. Microsoft recommends setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. This mitigation could affect regular functionality for certain use cases related to these applications and should be tested. Please see the Microsoft update guide for more information (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884).
Relevant Hunters Content: 1. It is recommended to monitor leads of the analytic “Office Excel or Word Created a Process” in the platform to identify potential exploitations of this vulnerability. 2. Look for outgoing HTTP and SMB connections to unfamiliar external IPs around lead time. 3. Look for dropped files with a ‘.url’ extension around lead time. 4. Look for ‘.LNK’ file creations in the path %AppData%\Roaming\Microsoft\Office\Recent\ to identify the document opened by the user. Then, you may look for the file hash in its file creation event for further analysis, and its source, if available, in the Email gateway logs.
Threat Hunting Queries: While Team Axon performs proactive threat hunting on Axon customers’ environments, several hunting queries for identifying suspicious activity that may be an indicator of exploitation of the vulnerability are shared on the GitHub repository (https://github.com/axon-git/rapid-response/tree/main) for your own use.
The first query looks for file creations with the target file name being ‘file001.url’. According to our analysis, this behavior is associated with successful exploitations of the vulnerability.
The second query looks for outbound SMB connections initiated by Office applications. It filters out target addresses that are part of internal ranges according to the Internet Assigned Numbers Authority (IANA), as well as external IPs which are known to be organizational according to various data sources of the customer (for example, EDR and IdP logs). Organizations that have internal IPs from other ranges may add a custom filter.