We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Exploit:Script/Teefey.A!dha
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus protects and detects this threat.
This threat, tracked as CVE-2023-36884, is a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress.
Microsoft Threat Intelligence identified a phishing campaign conducted by the threat actor tracked as Storm-0978 which involved the abuse of CVE-2023-36884.
For more information about this threat and additional mitigation actions that can be taken, read the Microsoft Threat Intelligence blog: Storm-0978 attacks reveal financial and espionage motives.
What victims can do now?
There is no one-size-fits-all response if you have been targeted by ransomware. To recover files, you can restore backups. There is no guarantee that paying the ransom will give you access to your files.
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defences against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions, and run a full scan to remove this threat.
CVE-2023-36884 specific recommendations
- Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
- In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office.
- In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
- Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.
- No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached.
- Note: While these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to 0.
