Microsoft discovers Storm-0978 phishing campaign

Threat actor exploits vulnerability to deliver backdoor, highlighting cybersecurity risks

Microsoft has recently uncovered a sophisticated phishing campaign conducted by a threat actor known as Storm-0978, which specifically targeted defence and government entities in Europe and North America. The campaign involved the exploitation of a remote code execution vulnerability (CVE-2023-36884) before it was disclosed to Microsoft. The actor used Word documents with lures related to the Ukrainian World Congress to carry out the attacks.

Storm-0978, also referred to as RomCom by other vendors, is a cybercriminal group based in Russia that has been previously associated with ransomware and extortion operations. They have also conducted targeted campaigns to gather credentials, likely in support of intelligence operations. The group is known for developing and distributing the RomCom backdoor, as well as deploying the Underground ransomware, which has similarities to the Industrial Spy ransomware observed in 2022. The latest campaign, detected in June 2023, involved the exploitation of CVE-2023-36884 to deliver a backdoor with characteristics resembling RomCom.

The primary targets of Storm-0978 have been government and military organizations, particularly those involved in Ukrainian affairs. They have also conducted ransomware attacks affecting industries such as telecommunications and finance.

Microsoft’s detection tools, including Microsoft 365 Defender and Microsoft Defender for Office 365, can identify various stages of Storm-0978’s activities. Customers utilizing these tools are protected from attachments attempting to exploit CVE-2023-36884. Additionally, Microsoft 365 Apps (Versions 2302 and later) safeguard users against vulnerability exploitation through Office. Organizations without these protections can mitigate the risk by setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key. Microsoft provides further recommendations for mitigation in their blog post.

Storm-0978’s phishing operations often employ lures related to Ukrainian political affairs, with a focus on military and government bodies in Europe. Following successful compromises, the group distributes backdoors to target organizations and potentially harvests credentials for future operations.

In financially motivated attacks involving ransomware, Storm-0978 utilizes the Industrial Spy and Underground ransomware strains, often accessing credentials by extracting password hashes from the Windows registry. The attackers then employ various tools, including SMBExec and WMIExec functionalities, for lateral movement.

While the genAI landscape is not without risks, particularly in regulated industries like pharma and healthcare, significant advancements and benefits are anticipated. Challenges such as bias, discrimination, and privacy must be mitigated through governance. It is crucial for organizations to collaborate with industry experts who possess both the industry perspective and technological expertise at the intersection of responsible AI to fully leverage the potential of recent technological breakthroughs.

 

Tags:

Leave a Comment

Related posts