China linked hackers are exploiting a new vulnerability in Microsoft Office

A newly discovered vulnerability in Microsoft Office is already being exploited by hackers linked to the Chinese government, according to threat analysis research from security firm Proofpoint.

Details shared by Proofpoint on Twitter suggest that a hacking group labeled TA413 was using the vulnerability (named “Follina” by researchers) in malicious Word documents purported to be sent from the Central Tibetan Administration, the Tibetan government in exile based in Dharamsala, India. The TA413 group is an APT, or “advanced persistent threat,” actor believed to be linked to the Chinese government and has previously been observed targeting the Tibetan exile community.

In general, Chinese hackers have a history of using software security flaws to target Tibetans. A report published by Citizen Lab in 2019 documented extensive targeting of Tibetan political figures with spyware, including through Android browser exploits and malicious links sent through WhatsApp. Browser extensions have also been weaponized for the purpose, with previous analysis from Proofpoint uncovering the use of a malicious Firefox add-on to spy on Tibetan activists.

The Microsoft Word vulnerability first began to receive widespread attention on May 27th, when a security research group known as Nao Sec took to Twitter to discuss a sample submitted to the online malware scanning service VirusTotal. Nao Sec’s tweet flagged the malicious code as being delivered through Microsoft Word documents, which were ultimately used to execute commands through PowerShell, a powerful system administration tool for Windows.

In a blog post published on May 29th, researcher Kevin Beaumont shared further details of the vulnerability. Per Beaumont’s analysis, the vulnerability let a maliciously crafted Word document load HTML files from a remote webserver and then execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool (MSDT), a program that usually collects information about crashes and other problems with Microsoft applications.

Microsoft has now acknowledged the vulnerability, officially titled CVE-2022-30190, although there are reports that earlier attempts to notify Microsoft of the same bug were dismissed.

According to Microsoft’s own security response blog, an attacker able to exploit the vulnerability could install programs, access, modify, or delete data, and even create new user accounts on a compromised system. So far, Microsoft has not issued an official patch but offered mitigation measures for the vulnerability that involve manually disabling the URL loading feature of the MSDT tool.

Due to the widespread use of Microsoft Office and related products, the potential attack surface for the vulnerability is large. Current analysis suggests that Follina affects Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365; and, as of Tuesday, the US Cybersecurity and Infrastructure Security Agency was urging system administrators to implement Microsoft’s guidance for mitigating exploitation.

Related Posts

Nomad crypto bridge loses $200 million in chaotic hack

After a few quiet months, it’s happened again: another blockchain bridge hack with losses in the hundreds of millions of dollars. Nomad, a cryptocurrency bridge that lets…

US federal courts were reportedly hit by another data breach

The federal courts’ document system was hit by a breach with a “startling breadth and scope” in early 2020, according to a report from Politico that cites…

Google like Amazon may let police see your video without a warrant

Arlo, Apple, Wyze, and Anker, owner of Eufy, all confirmed to CNET that they won’t give authorities access to your smart home camera’s footage unless they’re shown…

Now Microsoft Office is blocking macros by default

There’s been a bit of back and forth since the change was originally announced, but this week Microsoft started rolling out an update to Microsoft Office that…

Romanian hacker faces US trial over virus for hire service

The Department of Justice (DOJ) announced today that it had extradited dual Romanian / Latvian national Mihai Ionut Paunescu — known as “Virus” — to the US…

Hacker accesses a Verizon employee database and tries to ransom the data for $250,000

Verizon is dealing with an incident where a hacker captured a database containing company employee data, including the full names of workers as well as their ID…

Leave a Reply

Your email address will not be published.

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page
x