According to threat analysis data from security firm Proofpoint, a recently identified vulnerability in Microsoft Office is already being used by hackers linked to the Chinese government.
According to information provided on Twitter by Proofpoint, a hacker organization known as TA413 used the vulnerability (dubbed “Follina” by researchers) in malicious Word documents purporting to be delivered by the Central Tibetan Administration, the Tibetan government in exile located in Dharamsala, India. The TA413 group is an APT, or “advanced persistent threat,” actor suspected of being tied to the Chinese government that has previously targeted Tibetan exiles.
Chinese hackers have a history of targeting Tibetans by exploiting software security weaknesses. In a 2019 research, Citizen Lab found widespread spyware targeting of Tibetan political personalities, including using Android browser vulnerabilities and malicious URLs transmitted via WhatsApp. Browser extensions have also been used for this reason, with a prior Proofpoint investigation revealing the deployment of a malicious Firefox add-on to track Tibetan activists.
On May 27th, a security research group known as Nao Sec came to Twitter to discuss a sample uploaded to the internet malware scanning site VirusTotal, and the Microsoft Word vulnerability gained significant notice. The malicious malware was sent using Microsoft Word documents, which were then used to execute instructions via PowerShell, a sophisticated system administration tool for Windows, according to Nao Sec’s tweet.
Kevin Beaumont, a researcher, detailed the vulnerability in a blog post published on May 29th. According to Beaumont’s findings, the flaw allowed a maliciously crafted Word document to load HTML files from a remote webserver and then execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool (MSDT), a program that collects information about crashes and other issues with Microsoft applications.
Although there are claims that past attempts to warn Microsoft of the same flaw were disregarded, Microsoft has finally confirmed the vulnerability, officially dubbed CVE-2022-30190.
An attacker who exploits the vulnerability might install applications, access, change, or delete data, and even establish new user accounts on a compromised system, according to Microsoft’s own security response blog. Microsoft has not yet produced an official fix for the vulnerability, but has provided mitigating steps that include manually deactivating the MSDT tool’s URL loading functionality.
The potential attack surface for the vulnerability is extensive due to the widespread use of Microsoft Office and associated products. Follina appears to affect Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365, according to current analysis, and the US Cybersecurity and Infrastructure Security Agency was advising system administrators to follow Microsoft’s exploitation guidelines as of Tuesday.