CISA directs government agencies to address Windows and Office zero-days

Devesh Beri

As reported by BleepingComputer, the Cybersecurity and Infrastructure Security Agency (CISA) has directed federal agencies to address remote code execution zero-day vulnerabilities exploited by the Russian-based RomCom cybercriminal group in NATO phishing attacks. The flaws, CVE-2023-36884, are now included in CISA’s list of Known Exploited Vulnerabilities.

Under directive BOD 22-01 issued in November 2021, U.S. Federal Civilian Executive Branch Agencies (FCEB) must secure Windows devices against attacks using CVE-2023-36884. Agencies have until August 8th to implement mitigation measures provided by Microsoft a week ago.

Microsoft has committed to delivering patches for the vulnerabilities through the regular monthly release process or an out-of-band security update. In the meantime, customers using specific Microsoft products and enabled security rules are protected against phishing attacks targeting CVE-2023-36884.

Customers without these protections can add specific process names to the registry key to block CVE-2023-36884 attacks. However, this may affect the functionality of particular Microsoft Office apps.

While the directive primarily focuses on U.S. federal agencies, CISA advises private companies to prioritize patching all vulnerabilities in their catalog. CISA warns that malicious cyber actors frequently exploit these vulnerabilities and pose significant risks to government and private entities.

Microsoft has confirmed that the CVE-2023-36884 zero-day vulnerabilities were exploited in targeted attacks against North America and Europe government entities.

These findings emphasize the severity of the CVE-2023-36884 zero-day exploitation and the need for enhanced cybersecurity measures. Microsoft’s confirmation sheds light on RomCom’s tactics. It highlights the importance of timely patching and robust defense strategies to mitigate vulnerability risks.