Headline
Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day
By Waqas The Follina vulnerability was originally discovered after a malicious Microsoft Word document was uploaded on VirusTotal from a… This is a post from HackRead.com Read the original post: Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day
The Follina vulnerability was originally discovered after a malicious Microsoft Word document was uploaded on VirusTotal from a Belarus IP address.
On Thursday, May 30th, Hackread.com warned against the probability of a dangerous Microsoft zero-day flaw dubbed Follina being exploited in the wild. According to the latest reports, Chinese hackers have already started using it.
What is Follina?
Follina is a Microsoft Office flaw tracked as CVE-2022-30190. This vulnerability was discovered in May 2022 by researcher Kevin Beaumont in Microsoft Support Diagnostic Tool (MSDT).
According to the researcher, the exploit is activated when the victim opens a malicious document. The Protected View feature, as we know it, is designed to protect users from opening infected files. But, in the case of Follina, the file preview appears in Explorer, and Protected View is not triggered while the exploit is executed.
Threat actors can exploit this vulnerability to gain privilege escalation on a system and gain “god mode” access to the impacted system. Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 were impacted by the flaw.
Chinese APT Group Exploiting Follina
It seems like this newly identified zero-day already has registered its first exploiters. It is suspected that the exploitation of Follina started in April 2022 with Russian and Indian users becoming the prime targets of interview requests, extortions, and other attacks.
The latest information is shared by Proofpoint, which claims that a threat actor identified as TA413 has exploited this flaw in its attacks targeting the Tibetan community. This actor was previously associated with China and had been attacking Tibetan entities for several years.
In one of its attacks in 2021, the group was caught using a malicious Firefox extension to phish Gmail credentials to spy on Tibetan activists. In the latest, the group used Central Tibetan Administration’s Women Empowerment Desk as a lure in the attacks involving Follina.
“TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique.”
Proofpoint researchers on Twitter
Furthermore, the SANS Institute detected a document exploiting Follina to deliver malware. The file was written in Chinese, and its translation read: “Mobile phone room to receive orders – channel quotation – the lowest price on the whole network.”
Screenshot of a blog post titled “First Exploitation of Follina Seen in the Wild” on the SANS website published by Xavier Mertens, a freelance security consultant based in Belgium
MalwareHunterTeam has also discovered .docx files bearing Chinese filenames and installing infostealers through coolratxyz. The HTML file is full of junk for obfuscation purposes while it contains a script that downloads/executes the payload.
Free Micropatches for the “Follina” by 0Patch
0Patch, a Maribor, Slovenia-based IT security firm has issued free but unofficial micropatches addressing the Follina vulnerability. For more details on “How To” implement these micropatches head to the blog post published by 0Patch’s Mitja Kolsek.
Furthermore, the company has also released a YouTube video demonstrating how its micropatch detects and blocks attempts at exploiting the “Follina” 0day.
Meanwhile, CISA (Cybersecurity and Infrastructure Security Agency) is advising users to follow the “Workaround Guidance” for the Follina vulnerability issued by Microsoft on May 30, 2022.
Microsoft Knew About the Flaw in April!
Interestingly, Microsoft has been aware of the flaw since April, but a patch has not arrived. Reportedly, the tech giant was notified by a Shadow Chaser Group member. It is a team that focuses on APT inspection and detection.
Microsoft claims that the researcher who warned the organization about the flaw didn’t consider it a security-related problem. However, they had already seen a sample being exploited in the wild.
On May 27th, researcher Kevin Beaumont shared details of the vulnerability in his blog post after which the company assigned it a CVE and issued mitigation guidance until the arrival of official patches.
More Microsoft Security News
- Hackers are using Microsoft Teams chat to spread malware
- Malicious Office documents make up 43% of all malware downloads
- Attackers bypass Microsoft security patch to drop Formbook malware
- Google, Microsoft, and Oracle generated the most vulnerabilities in 2021
- Google Drive accounted for 50% of malicious Office document downloads
I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism
Related news
By Deeba Ahmed The RomCom RAT is also tracked as Tropical Scorpius, Void Rabisu, and UNC2596. This is a post from HackRead.com Read the original post: RomCom RAT Targets Pro-Ukraine Guests at Upcoming NATO Summit
Whitepaper called Bughunter's Life-Style: A DIY guide to become an alone long time bughunter for ordinary people. Written in Spanish.
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.
As many as 121 new security flaws were patched by Microsoft as part of its Patch Tuesday updates for the month of August, which also includes a fix for a Support Diagnostic Tool vulnerability that the company said is being actively exploited in the wild. Of the 121 bugs, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of the issues
The Malwarebytes Threat Intelligence team has discovered a new Remote Access Trojan that we dubbed Woody Rat used to target Russian entities. The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.
Hello everyone! This will be an episode about the Microsoft vulnerabilities that were released on June Patch Tuesday and also between May and June Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239094 On June Patch Tuesday, June 14, 56 vulnerabilities were released. Between May and June Patch Tuesdays, 38 vulnerabilities were released. This gives us 94 […]
The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.
Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine. The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.
Patch Tuesday for June 2022 brought a fix for Follina and many other security vulnerabilities. Time to figure out what needs to be prioritized. The post Update now! Microsoft patches Follina, and many other security updates appeared first on Malwarebytes Labs.
Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that's seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.
An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. The issue — referenced as DogWalk — relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a
This Metasploit module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an HTML document and then use the ms-msdt scheme to execute PowerShell code.
A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. government targets.
A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S. Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked CVE-2022-30190 (CVSS score: 7.8). No less than 1,000 phishing messages
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you! Talos... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Although organizations should perform proper risk analysis and patch as soon as practical after there's a fix for this vulnerability, defenders still have options before that's released.
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.
FAQ for the new Follina zero-day vulnerability. What you can do to protect your computers right now. The post FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day appeared first on Malwarebytes Labs.
A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.
An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems. "TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in
"Follina" vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.
Proof of concept for the remote code execution vulnerability in MSDT known as Follina.
Microsoft on Monday published guidance for a newly discovered zero-day security flaw in its Office productivity suite that could be exploited to achieve code execution on affected systems. The weakness, now assigned the identifier CVE-2022-30190, is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and
On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the … Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Read More »