Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

The Windows zero-day vulnerability identified as Follina and CVE-2022-30190 is being exploited in an increasing number of attacks, including by a Chinese APT group.

The existence of the flaw, which can be exploited for remote code execution, came to light on May 27, when a malicious document exploiting it was spotted in the wild. The vulnerability was dubbed Follina by researcher Kevin Beaumont, one of the first members of the cybersecurity community to analyze the exploit.

The security hole is related to the Microsoft Support Diagnostic Tool (MSDT), with the exploit being triggered when the targeted user opens a specially crafted document.

While a patch has yet to be released, Microsoft noted that Protected View, a feature designed to block these types of attacks, should protect users. However, researchers determined that if the attacker delivers the exploit as an RTF file, the exploit is triggered when a preview of the file is viewed in Explorer, and Protected View does not step into action.

Huntress warned in a blog post that threat actors can exploit the flaw to “elevate their own privileges and potentially gain ‘god mode’ access to the affected environment.”

Microsoft has known about the vulnerability since April, when it was notified by a member of Shadow Chaser Group, a research team focusing on APT hunting and analysis.

The researcher who informed Microsoft said the tech giant initially classified it as “not a security related issue,” despite being warned that a sample exploiting it had been seen in the wild. After a different researcher reported seeing a document exploiting the vulnerability on May 27, Microsoft assigned it a CVE, released mitigation guidance, and confirmed that it is an actively exploited zero-day vulnerability.

Exploitation works against Office Pro Plus, Office 2013, Office 2016, Office 2019 and Office 2021, but some evidence suggests Microsoft may have been trying to address the issue before its existence was made public.

An increasing number of files exploiting the Follina vulnerability have been found in the wild. Exploitation appears to have started in April, with users in India and Russia being targeted in attacks leveraging various themes, including interview requests and extortion.

Proofpoint reported on Tuesday that a threat actor tracked as TA413, which was previously linked to China, has exploited the vulnerability in its attacks on the Tibetan community. TA413 has targeted Tibet for years and the attacks involving the Follina zero-day use the “Women Empowerments Desk” of the Central Tibetan Administration as a lure.

The SANS Institute has also discovered a document exploiting CVE-2022-30190 to deliver malware. The file’s name is written in Chinese and translates to “Mobile phone room to receive orders – channel quotation – the lowest price on the whole network.”

Official patches are not available, but there are workarounds and mitigations, both from Microsoft and the cybersecurity community. Security firms have updated their products to detect attacks, but as more information and PoC exploits become available, there will likely be more exploitation attempts.

The US Cybersecurity and Infrastructure Security Agency (CISA) is advising organizations to review the guidance from Microsoft.

In his blog post on Follina, Beaumont pointed out that there have been several events leading up to this moment over the past couple of years. Research describing how MSDT can be abused for code execution was published in August 2020 and March 2022. In addition, in 2021, Microsoft stealthily patched a similar vulnerability in Teams.

Related: Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA