Recently Microsoft released a series of patches, addressing several vulnerabilities present within its software. In addition to this it has also published guidance on addressing an Office and Windows HTML remote code vulnerability known as CVE-2023-36884. This vulnerability is being exploited by cybercriminals using altered Microsoft documents that enable a malicious remote code execution once a user opens the file.
These documents are specially crafted and have not been encountered before. One of the problems this creates is that most government departments and commercial organizations around the world still rely solely on detection-based solutions to protect against file-based threats – making it impossible for current security deployments to adequately protect against CVE-2023-36884 exploits.
Recently, a cybercriminal group operating out of Russia called Storm-0978, has successfully utilized the CVE-2023-36884 exploit to target government departments, including attendees at the Ukraine World Congress.
Documents were created that posed as interesting and relevant information for the Ukraine World Congress event, but were actually designed to distribute the RomCom backdoor and deploy Underground Ransomware once opened.
The group leveraged a DOCX file containing an embedded RTF file with Object Linking & Embedding (OLE) capabilities which facilitated the exploit. Once the OLE was rendered to the malicious container document, according to research conducted by BlackBerry, it would reach out to domain 104.234.239[.]26 to pull down the second stage payload – another MS Word document which contains an iframe tag.
Protect against the CVE-2023-36884 Exploit with Zero Trust file protection from Glasswall CDR
While detection-based solutions, outside of Microsoft Defender for Office, have been largely ineffective against this exploit, security teams need not sit and wait for signature updates to fix the vulnerability. There are several mitigation solutions that have been published in order to prevent exploitation of this vulnerability, however deployment can be time consuming or outside the scope of some enterprise setups. Our zero-trust CDR technology is fast to deploy and can protect organizations and government departments against complex file-based threats instantly, even if they have not been observed before and without the need for temporary mitigation solutions.
Our patented CDR technology treats all files as untrusted, enacting our 4-step process for each file it encounters – instantly rebuilding the file back to a ‘known-good’ standard.
In this use-case the Glasswall Embedded Engine could be called to sanitize the document – removing the underlying RTF document embedded within the DOCX file.
Depending on the end user's specification, all documents of this type can be processed by the Glasswall Embedded Engine. Once processed, the potential for embedded and potentially malicious files to exist within the document is automatically removed.
The document is then rebuilt back to a known-good manufacturers standard that contains no compatibility issues.
Our CDR technology is also capable of conducting cascading analysis of all embedded components of a file's internal components – this is a universally effective method of employing zero-trust file protection for documents containing embedded files within them.
No element of the file can avoid analysis, sanitization or removal, protecting you comprehensively against exploits of the Office and Windows HTML remote code vulnerability known as CVE-2023-36884.
 - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit