Trending:

Chinese hackers now using ‘Follina’, a Zero-day vulnerability in Microsoft Office against the International Tibetan community

Follina or CVE-2022-30190– is the Windows MSDT vulnerability seen in April this year, Microsoft has released a temporary fix, but the vulnerability has not been patched yet.

Siddharth Shankar

Updated Jun 1, 2022, 14:01 IST

Chinese hackers now using Follina a Zero-day vulnerability in Microsoft Office against the International Tibetan community

Chinese hackers are now said to be actively exploiting the Microsoft Office zero-day vulnerability dubbed as ‘Follina’. The vulnerability allows threat actors to remotely execute malicious code, by sending the victims a Microsoft Word file, the exploit activates the moment you open the file or view it in ‘preview’. Follina would download the code from the remote server utilizing Microsoft Windows Support Diagnostic Tool (MSDT).

Microsoft was alerted by crazyman an infosec researcher in April, however, Microsoft decided it is not a security-related issue at the time.

The Chinese TA413 APT group, a state-affiliated threat actor is now exploiting the Follina Zero-day vulnerability to target the International Tibetan community. Proofpoint threat research team had found the same group targeting Tibetans with Sepulcher malware during the COVID pandemic in 2020.

Additionally, MalwareHunterTeam detected DOCX documents with Chinese filenames being used to install malicious payloads detected as password-stealing trojans through http://coolrat[.]xyz.

Microsoft issues mitigation measures

Microsoft has issued mitigation measures for Follina or CVE-2022-30190 vulnerability, “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

Microsoft advises admins to disable the MSDT URL protocol by using the following steps

Run Command Prompt as Administrator.
To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

Researchers have also pointed out that “Preview Pane” in Microsoft Word should be disabled.

Follina or CVE-2022-30190 was first discovered by the Shadow Chase group, Nao_Sec, and crazyman.

And according to a senior security researcher who tweeted a timeline of events till Follina was officially discovered, the vulnerability has been used against Nepal, India, Philippines, Russia, and Belarus till now.

Latest News