Chinese-backed hackers are exploiting an unpatched Microsoft Office zero-day vulnerability, known as “Follina”, to remotely execute malicious code on Windows systems. The high severity vulnerability, tracked as CVE-2022-30190, is used in attacks to execute malicious PowerShell commands via the Microsoft Diagnostic Tool (MSDT) when opening or previewing specially crafted Office documents. The flaw, which affects 41 Microsoft products, including Windows 11 and Office 365, works without elevated privileges, bypasses Windows Defender detection, and doesn’t require macro code to be enabled to run binaries or scripts. Zero-Day can also bypass Microsoft’s Protected View feature, an Office tool that warns about potentially malicious files and documents. Researchers at Huntress warned that converting the document to a Rich Text Format (RTF) file could allow attackers to bypass this warning and also allows the exploit to trigger with a preview of a downloaded file that does not require any clicks. Microsoft warned that the flaw could allow threat actors to install programs, delete data, and create new accounts in the context allowed by user rights. Cybersecurity researchers have observed hackers exploiting the flaw to target Russian and Belarusian users since April, with security firm Enterprise Proofpoint saying this week that a Chinese state-sponsored hacking group has been exploiting the zero-day in attacks directed at the international Tibetan community. “TA413 CN APT seen [in-the-wild] exploiting Follina zero-day by using URLs to deliver ZIP files containing Word documents using the technique,” ​​Proofpoint said in a tweet. The campaigns pose as the ‘Women’s Empowerment Board’ of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.” Proofpoint tells TechCrunch it has previously observed threat actor TA413, also tracked as “LuckyCat” and “Earth Berberoka,” targeting Tibetan organizations through the use of malicious browser extensions and COVID-19-themed espionage campaigns . Follina’s day zero was initially reported to Microsoft on April 12, after Word documents were found, purporting to be from the Russian news agency Sputnik offering recipients a radio interview, abusing the flaw in the nature. However, Shadow Chaser Group Madman, the researcher who first reported the zero-day, said that Microsoft initially labeled the flaw as not being a “security-related issue.” The tech giant later informed the researcher that the “issue has been fixed,” but there does not appear to be a patch available. TechCrunch asked Microsoft when a patch will be released, but the company did not respond. However, the company has issued new guidance warning administrators that they can block attacks exploiting CVE-2022-30190 by disabling the MSDT URL protocol, along with the Preview pane in Windows Explorer. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Tuesday urging users and administrators to review Microsoft’s guidance and apply any necessary workarounds.
