According to Bleeping Computer, there is an ongoing vulnerability in Windows that Microsoft has recently patched. On May 30, Microsoft suggested some workarounds to address the problem. Nonetheless, the Windows 10 KB5014699 and Windows 11 KB5014697 updates will automatically resolve everything for users, making them highly urgent for all users.
“The update for this vulnerability is in the June 2022 cumulative Windows Updates,” Microsoft says. “Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.”
Bleeping Computer says the security flaw called Follina tracked as CVE-2022-30190 covers versions of Windows that are still receiving security updates, including Windows 7+ and Server 2008+. It is being exploited by hackers to get control of a user’s computers by executing malicious PowerShell commands via Microsoft Support Diagnostic Tool (MSDT), as described by the independent cybersecurity research team nao_sec. This means the Arbitrary Code Execution (ACE) attacks can occur by simply previewing or opening a malicious Microsoft Word document. Interestingly, security researcher CrazymanArmy told Microsoft’s security team about the zero-day in April, but the company simply dismissed the report submitted, saying “it is not a security-related issue.”
TA413 CN APT spotted ITW exploiting the #Follina #0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the "Women Empowerments Desk" of the Central Tibetan Administration and use the domain tibet-gov.web[.]app pic.twitter.com/4FA9Vzoqu4
— Threat Insight (@threatinsight) May 31, 2022
In a report from the security research company Proofpoint, a group linked to the Chinese government named Chinese TA413 targeted Tibetan users by sending them malicious documents. “TA413 CN APT spotted ITW exploiting the #Follina #0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique,” Proofpoint writes in a tweet. “Campaigns impersonate the ‘Women Empowerments Desk’ of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.”
Apparently, the said group isn’t the only one exploiting the vulnerability. Other state-related and independent bad actors have been taking advantage of it for quite some time now, including a group that disguised a document as a salary increase memo in order to phish US and EU government agencies. Others include the TA570 Qbot affiliate that delivers Qbot malware and the first attacks that were seen using sextortion threats and baits like Sputnik Radio interview invite.
Once opened, the infected documents sent will allow hackers to control MDST and execute commands, leading to unpermitted program installations and access to computer data that hackers can view, delete, or alter. Actors can also create new user accounts through the user’s computer.