Organizations attending this week's NATO Summit were reported by Microsoft's Threat Intelligence team to be targeted by Russian cybercrime operation Storm-0978, also known as RomCom, in new attacks leveraging an unpatched zero-day in various Windows and Office offerings, tracked as CVE-2023-36884, BleepingComputer reports.
Attacks exploiting the flaw, which could result in remote code execution, commenced last month, a report from Microsoft showed.
The findings come after separate reports from Ukraine's Computer Emergency Response Team and BlackBerry's Research & Intelligence Team detailed intrusions involving the impersonation of the Ukrainian World Congress to facilitate the deployment of RomCom and the MagicSpell loader. While organizations leveraging Defender for Office and those that have activated the
"Block all Office applications from creating child processes" Attack Surface Reduction Rule were noted by Microsoft to be protected from attacks using the flaw, those without the aforementioned defenses were recommended to include certain app names to a registry key while waiting for official patches.
Aside from featuring over 40 million signals from the DNS Research Federation's data platform and the Global Anti-Scam Alliance's comprehensive stakeholder network, the Global Signal Exchange will also contain more than 100,000 bad merchant URLs and one million scam signals from Google.
While some threat actors established fraudulent disaster relief websites as part of phishing attacks aimed at exfiltrating financial details and Social Security numbers from individuals seeking aid, others impersonated Federal Emergency Management Agency assistance providers to create fake claims that enabled relief fund and personal data theft.
Malicious GitHub pages and YouTube videos containing links for purported cracked office software, automated trading bots, and game cheats, have been leveraged to facilitate the download of self-extracting password-protected archives.