China-linked hackers are remotely executing malicious code on Windows systems by exploiting a new Microsoft Office vulnerability known as “Follina.”
According to a threat analysis study by security firm Proofpoint, the unpatched Microsoft zero-day vulnerability has already been exploited by hackers associated with the Chinese government.
The security firm announced this week that a hacking group sponsored by China has been using the zero-day vulnerability to attack the international Tibetan community.
In a tweet shared by the company, it announced that “TA413 CN APT spotted ITW (in the wild) exploiting the Follina zero-day using URLs to deliver zip archives which contain Word Documents that use the technique.”
“Campaigns impersonate the “Women Empowerments Desk” of the Central Tibetan Administration and use the domain tibet-gov.web[.]app,” the company added.
A zero-day vulnerability is unknown to the party or parties responsible for patching or otherwise correcting the flaw in the software, hardware, or firmware.
When this flaw was first reported to Microsoft on April 12 by a researcher from Shadow Chaser Group, the company dubbed the vulnerability as not a “security-related issue.”
The zero-day vulnerability, called CVE-2022-30190, is being exploited in attacks that employ the Microsoft Diagnostic Tool (MSDT).
The tool is used to carry out hostile PowerShell commands when users open or survey distinctive Office documents.
Currently, 41 Microsoft products are affected by the vulnerability, including Windows 11 and Office 365.
The Microsoft Word flaw runs undetected by Windows Defender detection. It doesn’t require enhanced privileges, and it executes commands without using macro code.
In an article published by Huntress researchers, they advised against changing the document to a Rich Text Format (RTF) file.
According to them, it could give the hackers a way to get around the warning and trigger the exploit with a simple hover-preview of a downloaded file. This preview won’t require any clicks to activate the attack.
The zero-day also bypasses the Microsoft feature that alerts users about potentially harmful Office files and documents. This feature, which is known as Microsoft’s Protected View feature, can’t warn users against malicious files.
Since April, cybersecurity analysts have noticed that the threat actors are specifically attacking Russian and Belarussian users with the flaw.
Although Microsoft initially dismissed the zero-day flaw, the company recently warned that the attackers could use it to install programs, remove data, and set up new accounts through the context permitted by the user’s rights.
The tech giant also advised admins to prevent attacks utilizing CVE-2022-30190 by disabling the MSDT URL protocol and the Preview window in Windows Explorer.
On Tuesday, the United States’ Cybersecurity and Infrastructure Security Agency (CISA) broadcasted a warning advising users and administrators to follow Microsoft’s guidelines and implement the appropriate remedies.