Photo by Amelia Holowaty Krales / The Verge
A newly discovered vulnerability in Microsoft Office is already being exploited by hackers linked to the Chinese government, according to threat analysis research from security firm Proofpoint.
Details shared by Proofpoint on Twitter suggest that a hacking group labeled TA413 was using the vulnerability (named âFollinaâ by researchers) in malicious Word documents purported to be sent from the Central Tibetan Administration, the Tibetan government in exile based in Dharamsala, India. The TA413 group is an APT, or âadvanced persistent threat,â actor believed to be linked to the Chinese government and has previously been observed targeting the Tibetan exile community.
In general, Chinese hackers have a history of using software security flaws to target Tibetans. A report published by Citizen Lab in 2019 documented extensive targeting of Tibetan political figures with spyware, including through Android browser exploits and malicious links sent through WhatsApp. Browser extensions have also been weaponized for the purpose, with previous analysis from Proofpoint uncovering the use of a malicious Firefox add-on to spy on Tibetan activists.
The Microsoft Word vulnerability first began to receive widespread attention on May 27th, when a security research group known as Nao Sec took to Twitter to discuss a sample submitted to the online malware scanning service VirusTotal. Nao Secâs tweet flagged the malicious code as being delivered through Microsoft Word documents, which were ultimately used to execute commands through PowerShell, a powerful system administration tool for Windows.
Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
â nao_sec (@nao_sec) May 27, 2022
In a blog post published on May 29th, researcher Kevin Beaumont shared further details of the vulnerability. Per Beaumontâs analysis, the vulnerability let a maliciously crafted Word document load HTML files from a remote webserver and then execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool (MSDT), a program that usually collects information about crashes and other problems with Microsoft applications.
Microsoft has now acknowledged the vulnerability, officially titled CVE-2022-30190, although there are reports that earlier attempts to notify Microsoft of the same bug were dismissed.
According to Microsoftâs own security response blog, an attacker able to exploit the vulnerability could install programs, access, modify, or delete data, and even create new user accounts on a compromised system. So far, Microsoft has not issued an official patch but offered mitigation measures for the vulnerability that involve manually disabling the URL loading feature of the MSDT tool.
Due to the widespread use of Microsoft Office and related products, the potential attack surface for the vulnerability is large. Current analysis suggests that Follina affects Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365; and, as of Tuesday, the US Cybersecurity and Infrastructure Security Agency was urging system administrators to implement Microsoftâs guidance for mitigating exploitation.