China-backed hackers are exploiting unpatched Microsoft zero-day
China-backed hackers are exploiting an unpatched Microsoft Office zero-day vulnerability, known as “Follina”, to execute malicious code remotely on Windows systems.
The high-severity vulnerability -- tracked as CVE-2022-30190 -- is being used in attacks to execute malicious PowerShell commands via the Microsoft Diagnostic Tool (MSDT) when opening or previewing specially crafted Office documents. The flaw, which affects 41 Microsoft products, including Windows 11 and Office 365, works without elevated privileges, bypasses Windows Defender detection and does not need macro code to be enabled to execute binaries or scripts.
The zero-day can also circumvent Microsoft’s Protected View feature, an Office tool that warns against potentially malicious files and documents. Huntress researchers warned that converting the document to a Rich Text Format (RTF) file could allow attackers to bypass this warning and also enables the exploit to be triggered with a hover-preview of a downloaded file that does not require any clicks.
Microsoft has warned that the flaw could enable threat actors to install programs, delete data and create new accounts in the context allowed by the user’s rights.
Cybersecurity researchers observed hackers exploiting the flaw to target Russian and Belarussian users since April, and Enterprise security firm Proofpoint said this week that a Chinese state-sponsored hacking group has been exploiting the zero-day in attacks targeting the international Tibetan community.
"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," Proofpoint said in a tweet. "Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app".
Proofpoint tells TechCrunch that it has previously observed the TA413 threat actor -- also tracked as "LuckyCat" and "Earth Berberoka" -- targeting Tibetan organizations through the use of malicious browser extensions and COVID-19-themed espionage campaigns.
The Follina zero-day was initially reported to Microsoft on April 12, after Word documents -- which pretended to be from Russia’s Sputnik news agency offering recipients a radio interview -- were found abusing the flaw in the wild. However, Shadow Chaser Group's crazyman, the researcher who first reported the zero-day, said Microsoft initially tagged the flaw as not a "security-related issue". The tech giant later informed the researcher that the “issue has been fixed,” but a patch does not appear to be available.
TechCrunch asked Microsoft when a patch would be released but the company refused to answer. However, a spokesperson said that the company had issued guidance which advises admins that they can block attacks exploiting CVE-2022-30190 by disabling the MSDT URL protocol, along with the Preview pane in Windows Explorer.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Tuesday urging users and administrators to review Microsoft's guidance and apply the necessary workarounds.
Updated with comment from Microsoft