Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

The Windows zero-day vulnerability identified as Follina and CVE-2022-30190 is being exploited in an increasing number of attacks, including by a Chinese APT group.

The Windows zero-day vulnerability identified as Follina and CVE-2022-30190 is being exploited in an increasing number of attacks, including by a Chinese APT group.

The existence of the flaw, which can be exploited for remote code execution, came to light on May 27, when a malicious document exploiting it was spotted in the wild. The vulnerability was dubbed Follina by researcher Kevin Beaumont, one of the first members of the cybersecurity community to analyze the exploit.

The security hole is related to the Microsoft Support Diagnostic Tool (MSDT), with the exploit being triggered when the targeted user opens a specially crafted document.

While a patch has yet to be released, Microsoft noted that Protected View, a feature designed to block these types of attacks, should protect users. However, researchers determined that if the attacker delivers the exploit as an RTF file, the exploit is triggered when a preview of the file is viewed in Explorer, and Protected View does not step into action.

Huntress warned in a blog post that threat actors can exploit the flaw to “elevate their own privileges and potentially gain ‘god mode’ access to the affected environment.”

Microsoft has known about the vulnerability since April, when it was notified by a member of Shadow Chaser Group, a research team focusing on APT hunting and analysis.

The researcher who informed Microsoft said the tech giant initially classified it as “not a security related issue,” despite being warned that a sample exploiting it had been seen in the wild. After a different researcher reported seeing a document exploiting the vulnerability on May 27, Microsoft assigned it a CVE, released mitigation guidance, and confirmed that it is an actively exploited zero-day vulnerability.

Exploitation works against Office Pro Plus, Office 2013, Office 2016, Office 2019 and Office 2021, but some evidence suggests Microsoft may have been trying to address the issue before its existence was made public.

Advertisement. Scroll to continue reading.

An increasing number of files exploiting the Follina vulnerability have been found in the wild. Exploitation appears to have started in April, with users in India and Russia being targeted in attacks leveraging various themes, including interview requests and extortion.

Proofpoint reported on Tuesday that a threat actor tracked as TA413, which was previously linked to China, has exploited the vulnerability in its attacks on the Tibetan community. TA413 has targeted Tibet for years and the attacks involving the Follina zero-day use the “Women Empowerments Desk” of the Central Tibetan Administration as a lure.

The SANS Institute has also discovered a document exploiting CVE-2022-30190 to deliver malware. The file’s name is written in Chinese and translates to “Mobile phone room to receive orders – channel quotation – the lowest price on the whole network.”

Official patches are not available, but there are workarounds and mitigations, both from Microsoft and the cybersecurity community. Security firms have updated their products to detect attacks, but as more information and PoC exploits become available, there will likely be more exploitation attempts.

The US Cybersecurity and Infrastructure Security Agency (CISA) is advising organizations to review the guidance from Microsoft.

In his blog post on Follina, Beaumont pointed out that there have been several events leading up to this moment over the past couple of years. Research describing how MSDT can be abused for code execution was published in August 2020 and March 2022. In addition, in 2021, Microsoft stealthily patched a similar vulnerability in Teams.

Related: Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.