Recently discovered vulnerability in Microsoft Office is already being exploited by hackers linked to the Chinese government, according to threat analysis research by security firm Proofpoint.
Details shared by Proofpoint on Twitter suggest that a code group labeled TA413 used the vulnerability (called “Follina” by researchers) in malicious Word documents allegedly sent by the Central Tibetan Administration, the Tibetan government-in-exile based in Dharamsala, India. The TA413 group is an APT, or “advanced persistent threat”, an actor believed to be linked to the Chinese government and has was previously observed targeting the Tibetan exile community.
In general, Chinese hackers have a history of using software security flaws to target Tibetans. A report published by Citizen Lab in 2019 documented a comprehensive targeting of Tibetan political figures by spyware, including through Android browser exploitation and malicious links sent via WhatsApp. Browsers were also armed for the purpose, with a previous analysis by Proofpoint uncovering the use of a malicious Firefox plugin spy on Tibetan activists.
Microsoft Word’s vulnerability first began to receive widespread attention on May 27, when a security research group known as Nao Sec went to Twitter for discuss a sample subject to the online malware-scanning service VirusTotal. Nao Sec’s tweet marked the malicious code as being delivered with Microsoft Word documents, which were ultimately used to execute commands using PowerShell, a powerful system administration tool for Windows.
In blog post published on May 29, researcher Kevin Beaumont shared further details about the vulnerability. According to Beaumont’s analysis, the vulnerability allows a maliciously crafted Word document to load HTML files from a remote web server and then execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool (MSDT), a program that commonly collects crash and other issues with Microsoft. applications.
According to Microsoft’s own security response blog, an attacker capable of exploiting the vulnerability could install programs, access, modify or delete data, and even create new user accounts in a compromised system. So far, Microsoft has not released an official patch but proposed mitigating measures for the vulnerability, which involves manually disabling the URL loading feature of the MSDT tool.
Due to the widespread use of Microsoft Office and related products, the potential attack surface for vulnerability is large. Current analysis suggests that Follina affects Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365; and, since Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency has been encouraging system administrators to implement Microsoft’s guidance to mitigate exploitation.