Experts have warned that Chinese hackers are already actively exploiting a 0-day vulnerability in Microsoft Office known as Follina to remotely execute malicious code on vulnerable systems.
Let me remind you that the discovery of Follina became known a few days ago, although the first researchers discovered the bug back in April 2022, but then Microsoft refused to acknowledge the problem. The vulnerability is now tracked as CVE-2022-30190 and is known to be exploitable through normal Word document opening or File Explorer preview, using malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT) to execute.
The bug affects all versions of Windows that receive security updates, that is, Windows 7 and later, as well as Server 2008 and later.
Let me remind you that we also wrote that Lapsus$ hack group stole the source codes of Microsoft products.
Previously, experts have already reported that the discovery of Follina is a very worrying signal, as the vulnerability opens up a new attack vector using Microsoft Office. The fact is that the bug works without elevated privileges, allows bypassing Windows Defender and does not require the activation of macros to execute binaries or scripts.
As Proofpoint experts now say, the Chinese “government” hackers from the TA413 group have already taken advantage of the Follina problem, targeting their attacks on the international Tibetan community.
Attackers distribute ZIP archives to victims that contain malicious Word documents designed to attack CVE-2022-30190. The decoys are disguised as messages from the Central Tibetan Administration and use the tibet-gov.web[.]app domain.
Well-known information security researcher MalwareHunterTeam also writes that he found DOCX documents with file names in Chinese that are used to deliver malicious payloads through the http://coolrat[.]xyz domain, including malware to steal passwords.
Since there is no patch for Follina yet, administrators and users can block attacks on CVE-2022-30190 by disabling the MSDT URI protocol, which attackers use to launch debuggers and execute code on vulnerable systems. It is also recommended to disable file preview in Windows Explorer, because the attack is possible in this way as well.