China-backed hackers exploit an unpatched Microsoft Office vulnerability known as Follina to remotely execute malicious code across Windows systems.
The high-risk vulnerability — tracked as CVE-2022-30190 — is used in attacks to execute malicious PowerShell commands via Microsoft Diagnostics when opening or previewing specially prepared Office documents.
Current analysis indicates that Follina affects Office 2013, 2016, 2019, 2021, Office Pro Plus, and Office 365.
The bug works without elevated privileges, and bypasses Windows Defender detection. It does not need macro code to be enabled to execute scripts.
The flaw could also circumvent Microsoft’s Protected View feature, an Office tool that warns of potentially malicious files and documents.
The researchers warned that converting the document to an RTF file could allow attackers to bypass this warning. The vulnerability can also be exploited without any clicks by hovering over a downloaded file to preview it.
The software giant warned that the flaw allowed the attackers to install programs, delete data and create new accounts within the context permitted by user rights.
Cyber security researchers have noticed that hackers have been exploiting the vulnerability to target Russian and Belarusian users since April.
Enterprise security firm Proofpoint said : A Chinese state-sponsored hacking group is exploiting the vulnerability in attacks targeting the international Tibetan community.
The TA413 group targets Tibetan organizations through the use of malicious browser add-ons and coronavirus-themed spying campaigns. The group is also known as LuckyCat and Earth Berberoka.
Security flaw in Microsoft Office
Microsoft received a report about Follina on April 12, after Word documents were found exploiting the flaw.
However, the researcher who reported the flaw said: Microsoft initially classified the flaw as not a security issue. The software giant later informed the researcher that the issue had been fixed. But the patch does not appear to be available.
Microsoft has released guidelines to prevent attacks that exploit CVE-2022-30190 by disabling the MSDT URL protocol, along with the preview panel in Windows Explorer.
The US Cyber and Infrastructure Security Agency issued an alert urging users and administrators to review the company’s guidelines and implement the necessary solutions.