29.1 C
New York
Friday, August 12, 2022

China-linked hackers exploit new vulnerability in Microsoft Office

A newly discovered vulnerability in Microsoft Office is already being exploited by hackers linked to the Chinese government, according to threat analysis research from the security company Proofpoint.

Details shared by Proofpoint on Twitter suggest that a hacking group labeled TA413 used the vulnerability (named “Follina” by researchers) in malicious Word documents believed to be sent by the Central Tibetan Administration, the Tibetan government-in-exile based in Dharamsala, India. The TA413 group is an APT, or “Advanced Persistent Threat” actor believed to be linked to the Chinese government and has previously been observed targeting the Tibetan community in exile.

In general, Chinese hackers are used to using software vulnerabilities to target Tibetans. A report published by Citizen Lab in 2019 documented widespread targeting of Tibetan political figures with spyware, including via Android browser exploits and malicious links sent via WhatsApp. Browser extensions have also been weaponized for this purpose, with previous Proofpoint analysis revealing the use of a malicious Firefox add-on to spy on Tibetan activists.

The Microsoft Word vulnerability began to receive widespread attention on May 27, when a security research group known as Nao Sec took to Twitter to discuss a sample submitted to the online malware scanning service VirusTotal. Nao Sec’s tweet reported that the malicious code was delivered via Microsoft Word documents, which were ultimately used to execute commands via PowerShell, a powerful system administration tool for Windows.

In a blog post published on May 29, researcher Kevin Beaumont shared more details about the vulnerability. According to Beaumont’s analysis, the vulnerability allows a maliciously crafted Word document to load HTML files from a remote web server and then execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool ( MSDT), a program that typically collects information about crashes and other issues with Microsoft applications.

Microsoft has now acknowledged the vulnerability, officially titled CVE-2022-30190, although there are reports that earlier attempts to notify Microsoft of the same bug have been dismissed.

According to Microsoft’s own security response blog, an attacker able to exploit the vulnerability could install programs, access, modify or delete data, and even create new user accounts on a compromised system. So far, Microsoft has not released an official patch, but has offered some mitigations for the vulnerability which involves manually disabling the URL loading feature of the MSDT tool.

Due to the widespread use of Microsoft Office and related products, the potential attack surface for the vulnerability is large. Current analysis suggests that Follina affects Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365; and, on Tuesday, the US Cybersecurity and Infrastructure Security Agency urged system administrators to implement Microsoft guidelines to mitigate exploitation.

Related Articles


Please enter your comment!
Please enter your name here

Stay Connected


Latest Articles