A newly discovered vulnerability in Microsoft Office is already being exploited by Chinese government-linked hackers, according to a threat analysis investigation by security firm Proofpoint.
Details shared by Proofpoint on Twitter suggest that a group of hackers tagged TA413 used the vulnerability (called “Follina” by investigators) in malicious Word documents that were allegedly sent from the Tibetan Central Administration, the Tibetan government. in exile based in Dharamsala, India. The TA413 group is an APT actor, or “advanced persistent threat,” which is believed to be linked to the Chinese government and has previously been targeted in the exiled Tibetan community.
In general, Chinese hackers have a history of using software security flaws to target Tibetans. A report released by Citizen Lab in 2019 documented an extensive targeting of Tibetan political figures with spyware, even through exploits of the Android browser and malicious links sent via WhatsApp. Browser extensions have also been armed for this purpose, with a previous analysis by Proofpoint that discovered the use of a malicious Firefox add-on to spy on Tibetan activists.
Microsoft Word’s vulnerability began to receive widespread attention on May 27, when a security research group known as Nao Sec took to Twitter to discuss a sample sent to the malware scanning service in VirusTotal line. Nao Sec’s tweet marked the malicious code as being delivered through Microsoft Word documents, which were eventually used to execute commands using PowerShell, a powerful system administration tool for Windows.
In a blog post posted on May 29, researcher Kevin Beaumont shared more details about the vulnerability. According to Beaumont’s analysis, the vulnerability allowed a maliciously crafted Word document to load HTML files from a remote web server and then execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool (MSDT). a program that usually collects information about crashes and other problems with Microsoft applications.
Microsoft has now acknowledged the vulnerability, officially titled CVE-2022-30190, although there have been reports that previous attempts to notify Microsoft of the same bug have been rejected.
According to Microsoft’s own security response block, an attacker capable of exploiting the vulnerability could install programs, access, modify, or delete data, and even create new user accounts on a compromised system. So far, Microsoft has not released any official patches, but has offered vulnerability mitigation measures that involve manually disabling the URL loading feature of the MSDT tool.
Due to the widespread use of Microsoft Office and related products, the potential attack area for vulnerability is large. The current analysis suggests that Follina affects Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365; and, as of Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency urged system administrators to implement Microsoft guidelines to mitigate exploitation.