By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  
Talos...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  

Talos will have plenty of representation at both conferences, including giving lightning talks at the Cisco Secure booth, several features talks and spots, live podcast recordings, and more. To get you ready for RSA, I wanted to highlight a few special things we’re doing at the conference you should know about before you go.  

As always, you can keep posted on our latest plans and talk schedule by following us on Twitter. 

**Main booth** 

Stop by the main Talos and Cisco Secure booth at Moscone North Hall to say hi, ask questions and get the latest information on what we’re up to. 

At the booth, we’ll be premiering a new video series and giving out some of our newest stickers created in the image of our favorite malware “mascots.” Everyone will be jealous if you have one of these on your laptop. 

**Evolving Your Defense: Making Heads or Tails of Threat Actor Trends** 

Nick Biasini and Pierre Cadieux are hosting our sponsored session on June 7 at 9:40 a.m. PT. In this talk, they’ll be breaking down the latest threat actor tactics, techniques and procedures and telling you which ones you should be worried about and what can be ignored. 

**Beers with Talos/Security Stories** 

We’re hosting two live podcasts back-to-back at the Marriott Marquis: Sierra C ballroom from 2 – 5 p.m. PT on June 7. Security Stories and Beers with Talos are getting together to play a game of “Would I lie to you?”  

Talos’ vice president, Matt Watchinski, will be on hand for both episodes, along with other special guests.  

The Beers with Talos episode will cover Talos’ work in Ukraine, and we’ll hear from the audience about their hottest security takes.  

**The one big thing **

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system. 

  

> **Why do I care? **
> 
> If an attacker were to successfully exploit this vulnerability, they could execute remote code on the targeted machine. Needless to say, that’s bad. This is just the latest in a string of Microsoft vulnerabilities to make headlines over the past 12 months, including PrintNightmare and multiple Exchange Server issues. If those cases have taught us anything, it’s that attackers aren’t afraid to look for vulnerable Microsoft products to try and gain a foothold on a targeted network or machine.  
> 
> **So now what? **Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, including multiple Snort rules and a ClamAV signature.   

**Other news of note**

Costa Rica’s government was hit with another ransomware attack, this time from the Hive group. Hive took down the country’s health department’s online services earlier this week, adding to the problems Costa Rica is facing after Conti launched a ransomware attack in May. Security experts say there is evidence that Conti and Hive may be working together to extort the Costa Rican government. This is all going on as the Conti group claims it’s shutting down and splitting up into smaller groups. The Hive operators have not yet declared a ransom amount. (Bleeping Computer, Krebs on Security, CSO Online) 

The U.S. Department of Justice seized three domains associated with selling and collecting stolen and leaked personal information. Authorities said the sites, WeLeakInfo, IPStress and OVH Booster all assisted attackers in carrying out denial-of-service attacks. In 2020, the DoJ seized very similar domains, including “weleakinfo.com,” which at the time, offered users the ability to “review and obtain the personal information illegally obtained in over 10,000 data breaches.” (Recorded Future, Department of Justice) 

The FBI recently thwarted an attempted cyber attack on a Boston children’s hospital, according to the agency’s director. Chris Wray, speaking at an event in Boston, received intelligence last summer ahead of time that allowed the agency to stop what he called “one of the most despicable cyberattacks I've seen.” Wray added that the attack came from an Iranian state-sponsored actor. The same hospital faced similar attacks in 2014 and 2019, he said. (ABC News, NBC 10 Boston) 

**Can’t get enough Talos? **

*   Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
*   Threat Roundup for May 20 - 27
*   Talos Takes Ep. #98: Maybe don't panic about that F5 BIG-IP vulnerability

  

**Upcoming events where you can find Talos ****REcon (June 3 – 5, 2022)  
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** 4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206   
**MD5:** 3632f27604f5a82cf73b9ade710a1656  **Typical Filename:** mediaget\_installer\_467.exe    
**Claimed Product:** N/A    
**Detection Name:** FileRepPup:MediaGet-tpd  

**SHA 256:** a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92    
**MD5:** 8f90e544a48d75f42f9d44811320689c   **Typical Filename:** tata communications wholesale retai lpak ncl ethopia napal spice srilanka bd cli bangladesh.wsf    
**Claimed Product:** N/A     
**Detection Name:** Xml.Dropper.Valyria::100.sbx.vioc  

**SHA 256:** 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5   **MD5:** 8c80dd97c37525927c1e549cb59bcbf3   **Typical Filename:** Eternalblue-2.2.0.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Threat Source newsletter (June 2, 2022) — An RSA Conference primer

OS Command Injection vulnerability in es128 ssl-utils 1.0.0 for Node.js allows attackers to execute arbitrary commands via unsanitized shell metacharacters provided to the createCertRequest() and the createCert() functions.

From time to time, our security researchers find zero-day vulnerabilities in open source projects. When this happens, we inform the relevant maintaners of the package and publish our findings here only after they’ve been remediated, or when a patch is available.

CVE-2021-34080: Checkmarx Advisory

lifion-verify-dependencies through 1.1.0 is vulnerable to OS command injection via a crafted dependency name on the scanned project's package.json file.

CVE-2021-34078: Checkmarx Advisory

OS Command Injection vulnerability in bbultman gitsome through 0.2.3 allows attackers to execute arbitrary commands via a crafted tag name of the target git repository.

CVE-2021-34081: Checkmarx Advisory

OS command injection vulnerability in Turistforeningen node-s3-uploader through 2.0.3 for Node.js allows attackers to execute arbitrary commands via the metadata() function.

CVE-2021-34084: Checkmarx Advisory

Although organizations should perform proper risk analysis and patch as soon as practical after there's a fix for this vulnerability, defenders still have options before that's released.

On May 27, 2022, researchers from Japan-based nao\_sec identified a malicious document in a commercial malware repository, dubbed "Follina," that revealed the document employed a novel technique to achieve code execution. \[Note: Read Dark Reading's earlier coverage on Follina.\] While referencing a remote object, similar to techniques like template injection, the document retrieves the following URL:

_hXXps://www.xmlformats\[.\]com/office/word/2022/wordprocessingDrawing/RDF842l.html!_

When still active, the URL hosted content that included follow-on code to execute PowerShell via an explicit call to the application "ms-msdt":

    

MSDT is a diagnostic tool included in Windows. As shown above, MSDT can be used to parse and execute code, such as PowerShell, and can be called through parsing a malicious resource. Abuse of MSDT isn't new, as the technique previously has been documented among known "living off the land" binary (LOLBins) abuse. However, its use via a URL redirection called from Microsoft Office was previously unknown, expanding scope of potential MSDT abuse to remote mechanisms.

Since initial reporting, Microsoft issued CVE-2022-30190 to cover this remote code execution (RCE) possibility within MSDT when called through another application. While a patch for this vulnerability has not yet been released, several mitigation strategies exist (covered in greater detail below).

As of this writing, actual abuse of this technique appears to be limited, but with examples dating back to as early as April 2022. Public disclosure and researcher notes identify only a few instances of malicious use of MSDT via Microsoft Office applications. However, since public identification, multiple proofs of concept for this technique emerged, and Gigamon Applied Threat Research (ATR) anticipates that multiple threat actors will soon incorporate this technique into operations.

**Impact**

At present, the impact of CVE-2022-30190 is largely notional given lack of identified widespread use by threat actors. Once this technique is absorbed into existing actor toolkits, however, circumstances will change, with the potential for use by multiple threat actors. On initial discovery, endpoint detection and response (EDR) solutions appeared largely blind to this execution mechanism, but as of this writing that is rapidly changing across multiple vendors and products. Furthermore, as explained in guidance from Microsoft, MSDT's capability to launch items as links can be disabled via changes to the Windows Registry, removing this intrusion vector (with the potential for unforeseen or undesired consequences) until a true patch is available.

More importantly, while much initial discussion focused on the Office mechanism for triggering this issue, CVE-2022-30190 is application-agnostic in functionality, which centers on passing code to MSDT for execution. While Office represents an obvious mechanism to reach this application through delivery of a document via phishing or malicious link, any mechanism of launching MSDT will work to enable follow-on RCE such as a malicious LNK file or via the implementation of "wget" in Windows. The Office route presents just one of many potential avenues for exploitation, with other possibilities of MSDT abuse publicly documented.

For defenders and end users, the risk is therefore not just a new malicious Office delivery vector but, rather, abuse of an internal Windows component (MSDT) for code execution via multiple potential vectors. As such, certain mitigations (such as stopping all child processes from Office applications) represent only partial fixes to one aspect of the problem. To appropriately determine the scope and risk of this scenario, defenders must orient how MSDT abuse, irrespective of vector, applies to adversary operations.

**Orienting to Adversary Operations**

As documented thus far, MSDT is leveraged in early phases of adversary operations as an initial access mechanism to victim machines. As noted by other researchers, MSDT abuse via Office results in follow-on execution with the same privileges as the active user. This is helpful if victims are running as unprivileged users, but given the wealth of mechanisms available to elevate privileges in Windows environments, this limitation would appear to be easily overcome by most adversaries.

However, even if an adversary can access and elevate privileges to a victim device, this specific action represents only one, relatively early step in the overall adversary life cycle, or "kill chain." Appropriately leveraging this vulnerability still requires follow-on actions, including command and control (C2) and lateral movement activity, that present options to defenders for identifying adversary operations. Furthermore, there are precursor actions to code execution via MSDT that defenders can leverage to identify suspicious behaviors leading to exploitation.

Overall, CVE-2022-30190 represents a concern, but only one of many potential avenues available to adversaries to achieve initial code execution in victim environments. By properly understanding how adversaries employ this technique and what are necessary pre- and post-exploit actions to achieve adversary objectives, defenders can begin identifying detection, response, and hunting strategies that work against multiple potential intrusion vectors.

**Detection and Mitigation Possibilities**

1.  **Focus on patching and host-based responses.** The initial security community focus for MSDT abuse mitigation focused on patching (or the inability to do so) and host-based responses. As a host-focused exploitation mechanism, such an approach appears reasonable, and patching will be the most effective way of addressing this specific security issue. Additionally, process parent-child relationship monitoring (or outright blocking) can significantly reduce attack surface by preventing entire categories of intrusion, such as Office or MSDT spawning child processes. Specifically unregistering the URI handler for MSDT in the Windows Registry, as outlined by Microsoft and security researchers, may also temporarily address the issue.
2.  **Look for pre- and post-exploitation activity.** As noted in the previous section though, defenders should strive for detections and mitigations that can apply irrespective of specific exploits by looking at required adversary actions pre- and post-exploitation. For example, in the case of CVE-2022-30190, current delivery mechanisms focus on Office implementations. Likely future implementations will probably expand to other file formats commonly distributed via email or malicious websites, such as LNK files, self-extracting archives, and optical disk images. Identifying and increasing visibility over these distribution pathways, limiting exposure to unknown or untrusted vectors, and similar actions may thus reduce attack surface against multiple types of delivery mechanisms that can be used for payloads beyond MSDT exploitation.
3.  **Identify potential C2 or lateral movement mechanisms**. Post-exploitation, various opportunities exist for identifying C2 or lateral movement mechanisms even if initial exploitation is missed. Following initial access, threat actors will in most cases need to migrate to other areas of the network: repositories of intellectual property or sensitive information, or critical network infrastructure such as domain controllers. The actions required to do so — such as enumerating Active Directory or remote process execution — present opportunities even without host monitoring to identify adversary operations.
4.  **Identify and classify network assets.** Further actions, such as identifying and (if possible) classifying newly observed network items (IP addresses and domain names) may allow for disclosure of unique C2 items. Where appropriate asset identification is enabled, identifying odd network traffic to new, unusual remote resources can further enable defenders to catch and categorize potentially malicious activity. Identifying unusual traffic based on User Agent strings when visible — such as a PowerShell-based User Agent string retrieving an executable file based on file MIME type or extension, as seen in the initial CVE-2022-30190 example — can further enhance visibility into insecure or undesirable network behaviors.

Overall, a variety of options remain available to network defenders even if the actual exploitation of a new, potentially unknown (or "zero-day") vulnerability takes place. Understanding one's own network and its characteristics combined with sufficient visibility into network and host behaviors allows defenders to ask (and answer) questions concerning activities of interest to flag the necessary preconditions and follow-on actions adhering to vulnerability exploitation. While not necessarily easy in all cases, proper investment in resources and people will allow organizations to achieve a redundant security posture capable of catching zero-day exploitation, supply chain intrusions, or state-sponsored attacks.

**Conclusion**

Software and application vulnerabilities are a continuous and ongoing problem in the information security space. CVE-2022-30190 represents just another example of such vulnerabilities that have the potential to facilitate adversary operations. While organizations should perform proper risk analysis and patch as soon as practical once there's a fix for this vulnerability, defenders are not lost prior to release.

Instead, by understanding how adversaries leverage exploits as part of the intrusion life cycle, defenders and network owners can structure detections and defense so that they are agnostic to specific vulnerabilities. Rather than continuously chasing specific weaknesses as they appear over time, such as specific defenses around CVE-2022-30190 weaponization, defenders can structure operations to look for necessary precursors to exploit development (reconnaissance, delivery) or required follow-on actions to achieve objectives (C2, lateral movement).

In building defense and response this way — focused on core behaviors and adversary dependencies — defenders can build a more sustainable security posture that can adapt to future, yet-to-be-discovered vulnerabilities along with current, known tradecraft. Through layering behavior-based detections along with patching, signatures, and other items, defenders can achieve the requisite defense-in-depth necessary to adapt to a dynamic threat environment, without relying on single-point-of-failure defenses easily evaded by capable adversaries.

Fighting Follina: Application Vulnerabilities and Detection Possibilities

Industry-first report finds zero trust segmentation eliminates 5 cyber disasters per year and saves $20+ million annually.

**Sunnyvale, CA — June 1, 2022 —**  Illumio, Inc., the Zero Trust Segmentation company, today released The Zero Trust Impact Report, the industry’s first research on market perspectives of Zero Trust strategies and the business impact of Segmentation technology. Conducted by The Enterprise Strategy Group (ESG), which surveyed 1,000 IT and security professionals in eight countries, the report discovered that 47 percent of security leaders do not believe they will be breached despite increasingly sophisticated and frequent attacks, broad adoption of Zero Trust technologies, and the proven business and security impact of Zero Trust Segmentation, which isolates workloads and devices across the hybrid attack surface to stop breaches from spreading. Key findings include:

*   **Severity and Frequency of Attacks Are Still Rising:** In the past two years alone, more than three-quarters of organizations surveyed (76 percent) have been attacked by ransomware and two-thirds (66 percent) have experienced at least one software supply chain attack. More than half (52 percent) believe cyberattacks will result in catastrophic breaches.
*   **Zero Trust is Now the Standard:** 90 percent state that advancing Zero Trust strategies is one of their top three security priorities this year as a way to improve cyber resiliency and reduce the rising threat of attacks turning into disasters.
*   **Segmentation is a Critical Pillar of Every Zero Trust Strategy:** 75 percent of segmentation pioneers, those who are classified as advanced users, believe purpose-built segmentation tools are critical to Zero Trust and 81 percent say segmentation is an important technology to Zero Trust.
*   **Zero Trust Segmentation Has a Quantifiable Business Impact:** Organizations that have adopted Zero Trust Segmentation as part of their Zero Trust strategy save an average of $20.1 million in application downtime, avert 5 cyber disasters per year, and plan to accelerate 14 more digital and cloud transformation projects over the next year.

“Catastrophic breaches keep happening despite another year of record cybersecurity spending. Money will not make the problem go away until security leaders move beyond the legacy approach to only focus on detection and perimeter protection,” said PJ Kirner, Illumio co-founder and CTO. “I’m shocked that nearly half of those surveyed in The Zero Trust Impact Report do not think a breach is inevitable, which is the guiding principle for Zero Trust, but I am encouraged by the hard business returns Zero Trust and Segmentation deliver. Zero Trust Segmentation is emerging as a true market category that is transforming business operations and strengthening cyber resiliency.”

**Attacks Abound in a Hyperconnected World**

Hyperconnectivity created by digital transformation has expanded the attack surface and exposed organizations to risks never faced before. While respondents have significant concerns about many attack types, supply chain, zero-day, and ransomware attacks top the list.

*   Respondents say software supply chain attacks (48 percent), zero-day exploits (46 percent) and ransomware attacks (44 percent) are the three threats that keep them up at night.
*   More than one-third of respondents (36 percent) have been the victims of a successful ransomware attack over the past two years.
*   82 percent of respondents who were victims of a successful attack paid a ransom (42 percent paid ransom directly; 40 percent paid via cyber insurance) with the average ransom netting $495,000.

**Organizations Must Assume Breach and Adopt Zero Trust**

A Zero Trust approach, rooted in an assume breach mindset, is the modern strategy to reduce risk and increase cyber resiliency. 52 percent of security teams believe that their organization is ill-prepared to withstand the cyberattacks to come (22 percent say a breach would “definitely” result in business disaster; 30 percent say it “probably” would be a disaster), but Zero Trust adoption is rising fast:

*   Nine in ten (90 percent) report Zero Trust is one of their top three cybersecurity priorities, and 33 percent say Zero Trust is their top cybersecurity priority.
*   39 percent of all security spending over the next 12 months is earmarked to advance Zero Trust initiatives.
*   Segmentation pioneers are nearly twice as likely to be able to stop breaches from spreading than peers who do not fully utilize segmentation (81 percent vs. 45 percent).  
    

A whopping 96 percent of buyers prefer technologies with best-of-breed capabilities as opposed to broad platforms. 75 percent of segmentation pioneers believe purpose-built segmentation tools are critical to Zero Trust.

**You Cannot Achieve Zero Trust without Zero Trust Segmentation**

Zero Trust Segmentation is a modern approach to stop breaches from spreading across hybrid IT, from the cloud to the data center. Today, a vast majority of respondents consider Zero Trust Segmentation essential to any successful Zero Trust initiative (81 percent), and the report found that segmentation pioneers:

*   Are 2.7X more likely to have highly effective attack response processes.
*   Are 2.1X more likely to have avoided a critical outage during an attack over the last 24 months.
*   Save $20.1M in annual cost of downtime.
*   Are able to free up 39 person-hours per week.
*   Avert 5 cyber disasters annually.
*   Are accelerating digital transformation for competitive advantage with 14 more digital and cloud transformation projects planned over the next 12 months.

For more information, download a copy of The Zero Trust Impact Report.

**Research Methodology**

In February 2022, Illumio commissioned ESG to conduct a 1,000-person global study on the current state of Zero Trust strategies and the impact of segmentation. The findings incorporate sentiment from senior information security and IT professionals across North America, Europe, Asia Pacific, and Japan.

**About Illumio**  

Illumio, the Zero Trust Segmentation company, prevents breaches from spreading and turning into cyber disasters. Illumio protects critical applications and valuable digital assets with proven segmentation technology purpose-built for the Zero Trust security model. Illumio ransomware mitigation and segmentation solutions see risk, isolate attacks, and secure data across cloud-native apps, hybrid and multi-clouds, data centers, and endpoints, enabling the world’s leading organizations to strengthen their cyber resiliency and reduce risk.

Zero Trust Research Reveals Nearly Half of All Security Leaders Do Not Believe They Will Be Breached Despite Increasing Attacks and Adoption of Zero Trust Strategies

FAQ for the new Follina zero-day vulnerability. What you can do to protect your computers right now.
The post FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day appeared first on Malwarebytes Labs.

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 for a zero-day remote code vulnerability, ‘Follina’, already being exploited in the wild via malicious Word documents.

_**Q: What exactly is Follina?**_

A: Follina is the nickname given to a new vulnerability discovered as a zero-day and identified as CVE-2022-30190. In technical terms it is a Remote Code Execution Vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

_**Q: But what does it mean, and is this a serious vulnerability?**_

A: An attacker can send you a malicious Office document that will compromise your machine with malware when you open it. It is serious since it is already actively being exploited in the wild and doesn’t require users to enable macros.

**_Q: What is Microsoft doing about it?_**

A: Microsoft has offered mitigation steps that disable the MSDT URL Protocol. However, users should proceed with caution because of possible conflicts and crashes with existing applications.

_**Q: Does Malwarebytes protect against Follina?**_

A: Yes, it does. Please see additional steps below based on your product to ensure you are protected.

**How to add protection with Malwarebytes**

We are working on releasing a new version of Anti-Exploit that won’t require adding new shields and will provide more holistic protection. For immediate mitigation, please follow the instructions below.

**Malwarebytes Premium (Consumer)**

Follow the instructions below to add sdiagnhost.exe as a new protected application.

**Malwarebytes Nebula (Enterprise)**

Follow the instructions below to add sdiagnhost.exe as a new protected application.

FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day

By Waqas
The Follina vulnerability was originally discovered after a malicious Microsoft Word document was uploaded on VirusTotal from a…
This is a post from HackRead.com Read the original post: Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

The Follina vulnerability was originally discovered after a malicious Microsoft Word document was uploaded on VirusTotal from a Belarus IP address.

On Thursday, May 30th, Hackread.com warned against the probability of a dangerous Microsoft zero-day flaw dubbed Follina being exploited in the wild. According to the latest reports, Chinese hackers have already started using it.

**What is Follina?**

Follina is a Microsoft Office flaw tracked as CVE-2022-30190. This vulnerability was discovered in May 2022 by researcher Kevin Beaumont in Microsoft Support Diagnostic Tool (MSDT).

According to the researcher, the exploit is activated when the victim opens a malicious document. The Protected View feature, as we know it, is designed to protect users from opening infected files. But, in the case of Follina, the file preview appears in Explorer, and Protected View is not triggered while the exploit is executed.

Threat actors can exploit this vulnerability to gain privilege escalation on a system and gain “god mode” access to the impacted system. Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 were impacted by the flaw.

**Chinese APT Group Exploiting Follina**

It seems like this newly identified zero-day already has registered its first exploiters. It is suspected that the exploitation of Follina started in April 2022 with Russian and Indian users becoming the prime targets of interview requests, extortions, and other attacks.

The latest information is shared by Proofpoint, which claims that a threat actor identified as TA413 has exploited this flaw in its attacks targeting the Tibetan community. This actor was previously associated with China and had been attacking Tibetan entities for several years.

In one of its attacks in 2021, the group was caught using a malicious Firefox extension to phish Gmail credentials to spy on Tibetan activists. In the latest, the group used Central Tibetan Administration’s Women Empowerment Desk as a lure in the attacks involving Follina.

> “TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique.”
> 
> Proofpoint researchers on Twitter

Furthermore, the SANS Institute detected a document exploiting Follina to deliver malware. The file was written in Chinese, and its translation read: “Mobile phone room to receive orders – channel quotation – the lowest price on the whole network.”

Screenshot of a blog post titled “First Exploitation of Follina Seen in the Wild” on the SANS website published by Xavier Mertens, a freelance security consultant based in Belgium

MalwareHunterTeam has also discovered .docx files bearing Chinese filenames and installing infostealers through coolratxyz. The HTML file is full of junk for obfuscation purposes while it contains a script that downloads/executes the payload.

**Free Micropatches for the “Follina” by 0Patch**

0Patch, a Maribor, Slovenia-based IT security firm has issued free but unofficial micropatches addressing the Follina vulnerability. For more details on “How To” implement these micropatches head to the blog post published by 0Patch’s Mitja Kolsek.

Furthermore, the company has also released a YouTube video demonstrating how its micropatch detects and blocks attempts at exploiting the “Follina” 0day.

Meanwhile, CISA (Cybersecurity and Infrastructure Security Agency) is advising users to follow the “Workaround Guidance” for the Follina vulnerability issued by Microsoft on May 30, 2022.

**Microsoft Knew About the Flaw in April!**

Interestingly, Microsoft has been aware of the flaw since April, but a patch has not arrived. Reportedly, the tech giant was notified by a Shadow Chaser Group member. It is a team that focuses on APT inspection and detection.

Microsoft claims that the researcher who warned the organization about the flaw didn’t consider it a security-related problem. However, they had already seen a sample being exploited in the wild.

On May 27th, researcher Kevin Beaumont shared details of the vulnerability in his blog post after which the company assigned it a CVE and issued mitigation guidance until the arrival of official patches.

**More Microsoft Security News**

*   Hackers are using Microsoft Teams chat to spread malware
*   Malicious Office documents make up 43% of all malware downloads
*   Attackers bypass Microsoft security patch to drop Formbook malware
*   Google, Microsoft, and Oracle generated the most vulnerabilities in 2021
*   Google Drive accounted for 50% of malicious Office document downloads

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system.

Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, the full details of which are available below.

The most direct workaround is to disable the MSDT URL protocol by launching the command prompt as administrator and running the following commands:

*   To back up the existing registry values, run "reg export HKEY\_CLASSES\_ROOT\\ms-msdt filename" where filename is the name of the backup you will be creating.
*   To implement the workaround, run "reg delete HKEY\_CLASSES\_ROOT\\ms-msdt /f"
*   To undo the work around, run "reg import filename" where filename is the name assigned in the steps above.

**Ongoing exploitation**

Cisco Talos is aware of ongoing exploitation in the wild, so users are encouraged to test and implement the workaround as quickly as possible to mitigate risk.

An example of a maldoc exploiting this vulnerability consists of configuring the external references of the maldoc to point to the exploit payload, which, in this case, is written inHTML.

The HTML hosted on the remote location contains the actual exploit.

Using the ms-msdt schema and troubleshooting package "PCWDiagnostic," the attacker can launch arbitrary code on the infected endpoint.

  
**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following ClamAV signatures are available to detect malware related to this threat:

**Win.Exploit.CVE\_2022\_30190-9951234-1**

**IOCs****Hashes**

4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784  
8e986c906d0c6213f80d0224833913fa14bc4c15c047766a62f6329bfc0639bd  
fe300467c2714f4962d814a34f8ee631a51e8255b9c07106d44c6a1f1eda7a45  
710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfa  
d61d70a4d4c417560652542e54486beb37edce014e34a94b8fd0020796ff1ef7

**Malicious URLs**

hxxps\[://\]www\[.\]xmlformats\[.\]com/office/word/2022/wordprocessingDrawing/RDF842l\[.\]html  
hxxps\[://\]www\[.\]sputnikradio\[.\]net/radio/news/3134\[.\]html  
hxxps\[://\]exchange\[.\]oufca\[.\]com\[.\]au/owa/auth/15\[.\]1\[.\]2375/themes/p3azx\[.\]html

Tag

#zero_day