Unpatched Microsoft zero-day vulnerabilities are being exploited by Chinese-backed hackers.

News Sand DC
Watch Dogs (DEDSEC) - Ubisoft

China-backed hackers are remotely executing malicious malware on Windows devices using an unpatched Microsoft Office zero-day vulnerability known as "Follina."

When reading or previewing specially designed Office documents, the high-severity vulnerability – identified as CVE-2022-30190 – is being utilised in attacks to execute malicious PowerShell instructions via the Microsoft Diagnostic Tool (MSDT). The bug, which affects 41 Microsoft products including Windows 11 and Office 365, operates without requiring elevated rights, bypassing Windows Defender detection, and executing binaries or scripts without the need for macro code.

The zero-day can also get beyond Microsoft's Protected View feature, which alerts users about potentially harmful files and documents in Office. Converting the document to a Rich Text Format (RTF) file, according to Huntress researchers, allows attackers to avoid the warning and also allows the exploit to be triggered with a hover-preview of a downloaded file without requiring any clicks.

Threat actors might use the issue to install applications, remove data, and create new accounts in the context permitted by the user's privileges, according to Microsoft.

Since April, cybersecurity researchers have noticed hackers targeting Russian and Belarussian users, and enterprise security firm Proofpoint announced this week that a Chinese state-sponsored hacking organisation has been using the zero-day in assaults against the international Tibetan community.

In a tweet, Proofpoint claimed, "TA413 CN APT detected [in-the-wild] abusing the Follina zero-day leveraging URLs to deliver ZIP packages which include Word Documents that leverage the approach."

"Campaigns pose as the Central Tibetan Administration's 'Women Empowerments Desk,' using the domain tibet-gov.web[.]app."

The Follina zero-day was first reported to Microsoft on April 12 when Word documents posing as from Russia's Sputnik news agency offering recipients a radio interview were discovered in the wild exploiting the issue. However, the researcher who first reported the zero-day, crazyman of Shadow Chaser Group, claims that Microsoft initially classified the problem as a "security-related issue." The researcher was later informed that the "problem has been resolved," although no patch appears to be available.

On Tuesday, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory advising users and administrators to follow Microsoft's guidelines and implement the appropriate remedies.

#buttons=(Accept !) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Accept !