Cybersecurity firm Proofpoint is warning about Chinese hackers exploiting the new zero-day vulnerability in Microsoft Office. As per Proofpoint, an APT group, tracked as TA413 and believed to be acting for the Beijing interests, is weaponizing previously unknown critical flaw in Microsoft Office (CVE-2022-30190). Using this vulnerability dubbed Follina hackers can achieve remote code execution on vulnerable systems with minimal user interaction.
Using URLs Chinese hackers distribute ZIP archives containing malicious Word documents. The threat actor impersonates the Women Empowerments Desk of the Central Tibetan Administration and uses the domain tibet-gov.web[.]app. By the way, this is not the first time when TA413 uses the Tibetan topics in its attacks. This particular APT is well-known for delivering Exile RAT, Sepulcher and the malicious Firefox browser extension FriarFox to devices belonging to Tibetan diaspora.
With Follina attackers are able to change the document to RTF file and thereby circumvent Protected View safeguards for suspicious files and run the injected code. In this case there’s no need to open the document via the Preview Pane in Windows File Explorer.
Microsoft disclosed the flaw on April 12, 2022, and hackers quickly began to exploit it in the wild. The vulnerability affects MSDT (Microsoft Diagnostics Tool) and Microsoft Word, but Redmond doesn’t consider it as a security issue because MSDT requires a passkey provided by a support technician before it can execute payloads.
Follina affects all Windows versions currently supported by the vendor. Malicious actors can exploit it via Microsoft Office versions Office 2013 through Office 21 and Office Professional Plus editions.
Currently, there is no fix available for this vulnerability. As a precaution, Redmond recommends to disable the MSDT URL protocol and turn off the Preview Pane in File Explorer.