Posted on June 4, 2022 at 7:38 AM
The Microsoft Office zero-day vulnerability reported on the wide this week has already been used on active attacks by Chinese state-sponsored threat actors.
The Chinese advanced persistent threat (APT) group known as TA413 has been seen masquerading as the Women’s Empowerment Desk of the Central Tibetan Administration. The association deals with issues like violence against women and gender equality issues. According to reports by Proofpoint cybersecurity researchers, the new zero-day vulnerability executes code on completely patched applications.
The researchers revealed that the malicious files are planted on a zip archive using URLs that impersonate the real Tibertan government. But they did not say which type of payload that is being delivered.
The Vulnerability Is Tracked As CVE-2022-30190
The said vulnerability exploiting the MS-MSDT Uniform Resource Identifier (URI) is now being tracked as CVE-2022-30190. The researchers noted that the bug is known to work on all Microsoft Office versions. Even Office 365, initially thought not to be affected, was also susceptible.
Successful exploitation of the troubleshooting and diagnostic tool is known to result in the execution of malicious code on Windows systems, the report reveals.
The flaw has been dubbed Follina and has been termed high-severity, with a CVSS score of 7.8. Specifically, the vulnerability makes it possible for the hackers to evade Protected View safeguards for suspicious files by altering the document to a Rich Text Format (RTF) file. This allows the injected code to be run without opening the document through the Preview Pane in Windows File Explorer.
Although the vulnerability got widespread attention last week, there is evidence that the active exploitation of the vulnerability began much earlier. It was discovered in the wild targeting Russian users over a month ago when Microsoft got to know about the bug.
When the tech giant was informed about the vulnerability, it didn’t take it as a high-security issue at the time. Microsoft closed the submission report, stating that it will be difficult for hackers to execute payloads because the MSDT utility requires a passkey provided by a support technician.
How Users Can Prevent The Attack
The attack is meant to circumvent security software and go under the radar while taking advantage of Microsoft Office’s remote template feature. Additionally, the bug allows the ms-msdt protocol to execute malicious code without any need for macros.
Although there is no official patch available at the moment, Microsoft said users can disable the MSDT URL protocol to prevent the attack vector. Also, the tech giant recommended that users can turn off the Preview Pane in File Explorer.
Apart from assigning the zero-day CVE tracker, Microsoft has also released a report that supports the document for Windows and Microsoft Office users. Microsoft has also instructed users on how to quickly disable MDST.
Microsoft Wanted To Re-Triage The Report
A security researcher at Immersive Labs, Nikolas Cemerikic, stated that “Follina” is different from other exploits because it doesn’t take advantage of the Office macros. As a result, it can work in environments where macros have been disabled completely.
The only thing required for the exploit to take place is for the user to open and view the word document or to use the Windows Explorer Preview Pane to view a preview of the document. This makes it a zero-click attack since the latter doesn’t need Word to launch fully.
Also, hackers can execute the code when the malicious document is saved with the Rich Text Format (RTF). A researcher that goes by the alias crazyman, who is a part of a bug-hunting group known as Shadow Chaser, initially discovered the flaw when it was assigned a CVE by Microsoft.
Crazyman also posted evidence of their report to Microsoft online, admitting that the initial exploit occurred more than a month ago when they were used to target Russian-speaking users.
The report of the vulnerability only sparked interest last week after Kevin Beaumont, a former Microsoft-employed security professional, commented on the feedback from Microsoft. According to him, Microsoft’s response to the report sounded like they did not want to dismiss the report, but wanted to re-triage it.
At the same time, a security researcher at Malwarebytes stated that a Russian-language maldoc sample was seen in the wild, but its template was down at the time. As a result, it wasn’t possible to identify the sample. Microsoft advised users to follow the workarounds it provided on its website.