China-linked threat actors are actively exploiting a Microsoft Office zero-day vulnerability (known as “Follina”) to remotely run malicious code on Windows systems.
This Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Failure (followed by CVE-2022-30190) affects all Windows client and server platforms that are still receiving security updates (Windows 7 or later and Windows Server 2008 or later).
The Shadow Chaser Group madman, the researcher who first reported zero-day in April, said Microsoft initially labeled the crash as a “security issue,” but later shut down it. vulnerability submission report with remote code execution impact.
Actively exploited in the wild
The TA413 APT group, a piracy group linked to the interests of the Chinese state, has adopted this vulnerability in attacks against its favorite target, the Tibetan international community.
As Proofpoint security researchers observed on May 30, they now use CVE-2022-30190 exploits to execute malicious code using the MSDT protocol when targets open or preview Word documents delivered to ZIP files.
TA413 Malicious Word Document (Proofpoint)
“TA413 CN APT detected that ITW was exploiting Follina 0Day using URLs to deliver Zip files containing Word documents using this technique,” business security firm Proofpoint revealed today.
“Campaigns impersonate Tibetan Central Administration’s ‘Women’s Empowerment Table’ and use the domain tibet-gov.web[.]application. “
MalwareHunterTeam security investigator also detected DOCX documents with Chinese filenames used to install malicious payloads detected as Trojans stealing passwords via http: // coolrat.[.]xyz.
Image: BleepingComputer
Mitigation available
“An attacker who successfully exploits this vulnerability can run arbitrary code with caller application privileges,” Microsoft explained in a new guide released today to provide administrators with mitigation measures.
“The attacker can then install programs, view, change, or delete data, or create new accounts in the context that allows for user rights.”
You can block attacks that exploit CVE-2022-30190 by disabling the MSDT URL protocol that is abused by malicious actors to launch troubleshooting and code execution on vulnerable systems.
We also recommend disabling the Windows Explorer preview pane, as this is another attack vector that can be exploited when targets preview malicious documents.
Today, CISA also urged administrators and users to disable the MSDT protocol on their Windows devices after Microsoft reported the active exploitation of this vulnerability in the wild.
The first CVE-2022-30190 attacks were detected more than a month ago using threats of extortion and invitations to Sputnik Radio interviews as bait.