China-backed hackers are attacking the unpatched version of Microsoft Office's zero-day vulnerability, which is called "Follina," and carrying out malicious code remotely on various Windows systems.
A picture taken on May 23, 2022 shows the logo of Microsoft during the World Economic Forum (WEF) annual meeting in Davos.
"High-Severity Vulnerability"
The malicious code is considered a high-severity vulnerability, and it is now being tracked as CVE-2022-30190. The vulnerability is used in the attacks to embed harmful PowerShell commands through the Microsoft Diagnostic Tool (MSDT) that pops up when Office documents are opened or previewed.
This flaw is affecting a total of 41 Microsoft products such as Office 365, Windows 11, and more. Additionally, it can operate even without the presence of elevated privileges, does not need macro code to perform scripts or binaries, and bypass Windows Defender detection.
According to Tech Crunch's report, the zero-day can enable the circumvention of Microsoft's Protected View feature, one of Microsoft Office's tools that warns the user about malicious files and documents.
Meanwhile, researchers from the cybersecurity platform Huntress cautioned that if a user converts a document to a Rich Text Format (RTF) file, it could enable attackers to bypass this warning and lets them exploit it with a hover-preview of a downloaded file that does not entail any clicks from the user.
Microsoft also noted that the flaw could lead to hackers installing programs, deleting data, and making new accounts based on the context that is guaranteed by the user's rights.
Read also: Microsoft Addresses Zero-Day Hacks Afflicting Chromium-Based Browsers
Chinese State-Sponsored Hackers
Back in April, cybersecurity experts already noticed that hackers were exploiting the flaw to target users from Russia and Belarus.
But more recently, an Enterprise security firm called Proofpoint claimed this week that a hacking group sponsored by the Chinese state has been taking advantage of the zero-day in their attacks aiming at the international Tibetan community.
Proofpoint said in a tweet that "TA413 CN APT" was spotted in the wild "exploiting the Follina zero-day" through URLS that deliver ZIP archives containing Word Documents.
"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app[.]," Proofpoint added.
In its statement with TechCrunch, Proofpoint revealed that it had tracked the TA412 threat actor with the names "LuckyCat" and "Earth Berberoka." This threat actor is targeting Tibetan groups via the use of malicious browser extensions and espionage campaigns with COVID-19 as the theme.
The Follina zero-day was first reported to Microsoft back on April 12 when Word documents falsely appeared to be coming from Russia's Sputnik news agency that offers a radio interview for the recipients.
On Tuesday, June 1, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted users and administrators to review Microsoft guidance and initiate possible workarounds.
Related Article: Chrome Zero-Day Vulnerability: North Korean Hackers Bring Threats to US Targets, Same One in Past Years
This article is owned by Tech Times
Written by Joaquin Victor Tacla
