China-related threat actors are now actively exploiting a Microsoft Office zero-day vulnerability, known as “Folina,” to remotely execute malicious code on Windows systems.
This Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (tracked as CVE-2022-30190) affects all Windows client and server platforms (Windows 7 or later and Windows Server 2008 or later) that are still receiving security updates Version).
Shadowstalker Group madmanThe researcher who first reported the zero-day vulnerability in April said Microsoft initially flagged the flaw as not a “security related issue”” However, it later closed the vulnerability submission report Has remote code execution impact.
Active use in the wild
The TA413 APT group, a hacking group linked to Chinese state interests, used this vulnerability to attack their favorite target, the international Tibetan community.
As Proofpoint security researchers observed on May 30, they are now using the CVE-2022-30190 vulnerability to open or preview Word documents delivered in ZIP archives.
“TA413 CN APT discovered that ITW exploited a URL to exploit Follina 0Day to deliver Zip archives containing Word documents using the technology,” enterprise security firm Proofpoint disclose today.
“The campaign impersonates the ‘Women Empowerment Desk’ of the Central Tibetan Administration and uses the tibet-gov.web domain name[.]application. “
Security Researcher MalwareHunterTeam also found DOCX documents with Chinese filenames are used to install malicious payloads detected as password stealing Trojans via http://coolrat[.]xyz.
![cool mouse[.]xyz exploit](https://www.bleepstatic.com/images/news/u/1109292/2022/coolrat%5B_%5Dxyz%20exploit.png)
Available mitigations
“An attacker who successfully exploited this vulnerability could run arbitrary code with the privileges of the calling application,” as Microsoft explained in a new guide released today, providing mitigations for administrators.
“The attacker could then install programs, view, change or delete data, or create new accounts in the context allowed by the user’s rights.”
You can prevent attacks that exploit CVE-2022-30190 by disabling MSDT URL protocol abuse by malicious actors to initiate troubleshooters and execute code on vulnerable systems.
You too Suggest Disable the Preview pane in Windows Explorer, as this is another attack vector that the target can exploit when previewing malicious documents.
Today, CISA is also urging administrators and users to disable the MSDT protocol on their Windows devices after Microsoft reported active exploitation of the vulnerability in the wild.
The first CVE-2022-30190 attack was discovered more than a month ago Sexual Extortion Threat and Invitation to an interview with Sputnik as bait.