Storm-0978 Attacks Detection: russia-linked Hackers Exploit CVE-2023-36884 to Spread a Backdoor Targeting Defense and Public Sector Organizations 

Storm-0978 aka DEV-0978

Cybersecurity researchers have unveiled a new offensive operation launched by the russia-backed Storm-0978 aka DEV-0978 group, which is also tracked as RomCom based on the name of the nefarious backdoor they are associated with. In this campaign, hackers are targeting defense organizations and public authorities in Europe and North America leveraging the phishing attack vector by exploiting a RCE vulnerability CVE-2023-36884 and the Ukrainian World Congress-related lures. 

Detecting Storm-0978 Attacks

With the growing volumes of malicious operations attributed to the Storm-0978 russia-backed hacking group known for a series of attacks against Ukraine and its allies, defenders are looking for ways to strengthen their cyber resilience. To help organizations timely detect the latest phishing campaign related to the abuse of the CVE-2023-36884 flaw, SOC Prime team curates a relevant Sigma rule available by a link below:

Suspicious MSOffice Child Process (via cmdline)

This Sigma rule is tailored for 20+ SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK addressing the Initial Access and Execution tactics along with relevant Phishing (T1566) and Exploitation for Client Execution (T1203) techniques.  

To obtain the comprehensive list of Sigma rules for Storm-0978 attack detection, click the Explore Detections button below. For simplified detection content search, all relevant Sigma rules are filtered by the custom tags “Storm-0978” or “DEV-0978”. Gain insights into the in-depth cyber threat context behind the group’s attacks, check our CTI and ATT&CK references, explore mitigations, and delve into more actionable metadata to shave minutes off your threat research.

Explore Detections

Cyber defenders can also reach the entire Sigma rule stack for RomCom detection to proactively defend against any existing and emerging threats associated with this malware and linked to the adversaries responsible for its distribution.  

Storm-0978 Attacks Analysis: Cyber-Espionage and Ransomware Activity 

Microsoft research team has uncovered a new phishing campaign by the Storm-0978 group aka DEV-0978 targeting defense organizations and public sector entities. Threat actors abuse CVE-2023-36884 zero-day exploited in the wild, the RCE vulnerability in Microsoft Windows and Office with a CVSS score of 8.3, which has been added to Microsoft’s July 2023 Patch. In the latest adversary campaign, attackers take advantage of the lures linked to the Ukrainian World Congress.

Storm-0978 is a russia-linked group that has been launching multiple ransomware operations and malicious campaigns aimed at intelligence gathering and stealing sensitive data. The hacking collective is also known as the developers and distributors of the RomCom backdoor. In autumn 2022, the Ukrainian state bodies were also the target RomCom malware infection due to a targeted phishing campaign reported by CERT-UA. DEV-0978 is also tracked as RomCom based on the corresponding malicious strains they are behind. In the latest summer’23 campaign, the exploitation of CVE-2023-36884 leads to the spreading of a backdoor similar to RomCom. 

Storm-0978 activity mainly reveals financial and cyber-espionage motives behind their offensive operations with different industry sectors used as the primary targets. As for the espionage-related campaigns, Storm-0978 threat actors are observed to target state bodies and military organizations in Ukraine as well as their allies abusing the phishing attack vector and exploiting Ukraine-related political topics as lures. While Storm-0978 ransomware activity is mainly targeted at the telecom sector and financial entities.

As for adversary TTPs used in attacks, the group leverages Trojanized versions of legitimate software to deploy RomCom malware and registers malicious domains disguised as legit utilities. 

RomCom operators have launched a set of cyber-espionage operations since the second half of 2022. Apart from the latest June campaign weaponizing CVE-2023-36884, Storm-0978 actors were also behind a wave of phishing attacks against Ukrainian officials, specifically targeting the DELTA system users and spreading FateGrab/StealDeal malware in early 2022. Another adversary campaign took place in mid-autumn 2022 with the group generating fraudulent installer websites targeting Ukrainian military and public sector organizations and spreading RomCom to gain user credentials.

Microsoft has issued a list of recommended mitigation measures to help organizations remediate the threat related to the CVE-2023-36884 exploitation attempts. Companies leveraging Microsoft Defender for Office won’t be impacted, however, other clients might be facing the risks of potential attacks. Leveraging the Attack Surface Reduction Rule that prevents all Office applications from generating child processes will hinder adversary exploitation attempts. Another mitigation step that can be applied involves configuring the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key.  

Explore SOC Prime Platform for collective cyber defense to access the world’s largest repo of Sigma rules and equip your team with Uncoder AI and Attack Detective to make your detection engineering procedures faster and simpler, timely identify blind spots in your infrastructure, and prioritize your hunting operations for a bullet-proof cybersecurity posture.

The post Storm-0978 Attacks Detection: russia-linked Hackers Exploit CVE-2023-36884 to Spread a Backdoor Targeting Defense and Public Sector Organizations  appeared first on SOC Prime.