While Italy resists the Killnet hack, a recently discovered vulnerability in Microsoft Office has already been exploited by Chinese hackers. This was revealed in a recent report by Proofpoint, a company specializing in IT security. The major flaw allows a Word document to execute arbitrary code even if macros are disabled and without the victim needing to open the document.
Researchers say hacker group TA413 exploited Follina to send malicious Word documents apparently coming from the offices of the Tibetan central administration – the Tibetan government-in-exile based in Dharamsala, India.
Specifically, these are .zip files containing malicious Word documents: to conceal the attack, the hackers make the document appear as sent by the Tibetan Woman Empowerments Desk using the Tibet-gov.web.app domain. Unfortunately, the group is well known, is considered a persistent and advanced threat, is believed to have direct links with the Beijing government, and has already targeted the exiled Tibetan community in the past.
TA413 CN APT spotted ITW exploiting the #Follina #0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the “Women Empowerments Desk” of the Central Tibetan Administration and use the domain tibet-gov.web[.]app pic.twitter.com/4FA9Vzoqu4
— Threat Insight (@threatinsight) May 31, 2022
HOW FOLLINA WORKS
We started talking about Follina on 27 May when the Nao Sec research group documented the presence of malicious code distributed through Microsoft Word documents, which were used to execute commands via PowerShell (system administration tool Windows operating system). Two days later, researcher Kevin Beaumont provided further details on the vulnerability, explaining that Follina allows a malicious Word document to upload HTML files from a remote web server and then execute PowerShell commands using the Microsoft Support Diagnostic Tool (MSDT) to learn about crashes and other Microsoft application problems).
MICROSOFT HAS RECOGNIZED IN BUG, BUT THE PATCH IS STILL NOT THERE
Microsoft has recognized the vulnerability (officially identified as CVE-2022-30190 ) and has provided solutions to mitigate the effects of manually disabling the MSDT URL loading feature, but has not yet developed a patch.
The Redmond company confirms that Follina could allow the hacker to install programs, access / modify/delete personal data and even create new user accounts in the targeted systems. Speeding up to develop a patch is necessary, taking into account the danger of the flaw and the number of potential victims. According to the researchers’ analyzes, Follina would in fact concerned with Office 2013, 2016, 2019, 2021, Office Pro Plus and Office 365.
HOW TO MITIGATE THE EFFECTS
The main tool to mitigate the flaw coincides with the deactivation of the MSDT URL protocol, which can be done by following these steps:
- Launch Command Prompt as Administrator
- Back up the registry key with the “reg export HKEY_CLASSES_ROOT \ ms-msdt filename” command. Note that “filename” is any name that the user is free to choose.
Execute the command “reg delete HKEY_CLASSES_ROOT \ ms-msdt / f”
To reactivate the protocol, simply open the Command Prompt again and execute the “” reg import filename “command.