Evaluate your Windows Endpoints for Storm-0978 activity with Qualys Endpoint Security

Hacker, cracking the html code

Published: 18 July 2023

Reading time: 2 minutes

On July 11, Microsoft released security bulletins to fix 132 vulnerabilities. 

With the July Patch Tuesday, Microsoft also fixed six zero-day vulnerabilities. For your quick reference, the following are the zero-day vulnerabilities:

CVE-2023-32046 – Windows MSHTML Platform Elevation of Privilege Vulnerability

CVE-2023-32049 – Windows SmartScreen Security Feature Bypass Vulnerability

CVE-2023-36874 – Windows Error Reporting Service Elevation of Privilege Vulnerability

CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability

CVE-2023-35311 – Microsoft Outlook Security Feature Bypass Vulnerability

ADV230001 – Guidance on Microsoft Signed Drivers Being Used Maliciously

The Qualys Threat Research Unit (TRU) finds CVE-2023-36884 particularly interesting. Microsoft attributes this vulnerability to a threat actor named Storm-0978/RomCom. Additionally, due to the nature of these vulnerabilities, the chances that a threat actor will combine CVE-2023-32049, and CVE-2023-35311 with CVE-2023-36884 are high.

What is interesting about this threat actor, which can be — attributed to the Russian region — is that this group employs clever tactics to stay under the radar. It also uses ransomware-laced activities, which might help its real espionage goals remain undetected.

More surprising is that no patches have been released for this vulnerability. Microsoft mentions that Microsoft Defender for Office 365 already protects systems by enabling the “Block all Office applications” as per the attack surface reduction rules on creating child processes.

About Patch Tuesday

Patch Tuesday (also known as Update Tuesday) is an unofficial term used to refer to when Microsoft, Adobe, Oracle, and others regularly release software patches for their software products. It is widely referred to in this way by the industry. Microsoft formalized Patch Tuesday in October 2003. Patch Tuesday occurs on the second Tuesday of each month.

Security implication

An obvious security implication is that security problems that have a solution are withheld from the public for up to a month. This policy is adequate when the vulnerability is not widely known or is extremely obscure, but that is not always the case.

There have been cases where vulnerability information became public or worms were circulating before the next scheduled Patch Tuesday. In critical cases Microsoft issues corresponding patches as they become ready, alleviating the risk if updates are checked for and installed frequently.

About Qualys Endpoint Security

Endpoint security is comprised of cybersecurity technologies focused on defending endpoints from malware and ransomware. An endpoint is any connected device such as desktops, laptops, mobile devices, operational technology (OT) and IoT nodes.

Common endpoint security solutions include endpoint protection platforms (EPP), endpoint detection and response (EDR), extended detection and response (XDR) and managed detection and response (MDR).

Qualys offers Multi-Vector EDR and Context XDR, both of which include endpoint protection platform (EPP) functionality.

Learn more about Qualys' Endpoint Security Solutions and which one is right for your organization.

To make this website run properly and to improve your experience, we use cookies. For more detailed information, please check our Cookie Policy.

  • Necessary cookies enable core functionality. The website cannot function properly without these cookies, and can only be disabled by changing your browser preferences.