Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability

An advanced persistent threat (APT) actor aligned with Chinese
state interests has been observed weaponizing the new zero-day flaw^[1]
in Microsoft Office to achieve code execution on affected
systems.

“TA413 CN APT spotted [in-the-wild] exploiting the Follina
zero-day using URLs to deliver ZIP archives which contain Word
Documents that use the technique,” enterprise security firm
Proofpoint said^[2]
in a tweet.

“Campaigns impersonate the ‘Women Empowerments Desk’ of the
Central Tibetan Administration and use the domain
tibet-gov.web[.]app.”

TA413^[3]
is best known for its campaigns aimed at the Tibetan diaspora to
deliver implants such as Exile RAT^[4]
and Sepulcher^[5]
as well as a rogue Firefox browser extension dubbed FriarFox^[6].

The high-severity security flaw, dubbed Follina and tracked as
CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code
execution that abuses the “ms-msdt:” protocol URI scheme to execute
arbitrary code.

Specifically, the attack makes it possible for threat actors to
circumvent Protected View^[7]
safeguards for suspicious files by simply changing the document to
a Rich Text Format (RTF) file, thereby allowing the injected code
to be run without even opening the document via the Preview Pane^[8]
in Windows File Explorer.

While the bug gained widespread attention last week, evidence
points to the active exploitation of the diagnostic tool flaw in
real-world attacks targeting Russian users over a month ago on
April 12, 2022, when it was disclosed to Microsoft.

The company, however, did not deem it a security issue^[9] and closed the
vulnerability submission report, citing reasons that the MSDT
utility required a passkey^[10] provided by a support
technician before it can execute payloads.

The vulnerability exists in all currently supported Windows
versions and can be exploited via Microsoft Office versions Office
2013 through Office 21 and Office Professional Plus editions.

“This elegant attack is designed to bypass security products and
fly under the radar by leveraging Microsoft Office’s remote
template feature and the ms-msdt protocol to execute malicious
code, all without the need for macros,” Malwarebytes’ Jerome Segura
noted^[11].

Although there is no official patch available at this point,
Microsoft has recommended^[12] disabling the MSDT URL
protocol to prevent the attack vector. Additionally, it’s been
advised^[13] to turn off the Preview
Pane in File Explorer.

“What makes ‘Follina’ stand out is that this exploit does not
take advantage of Office macros and, therefore, it works even in
environments where macros have been disabled entirely,” Nikolas
Cemerikic of Immersive Labs said.

“All that’s required for the exploit to take effect is for a
user to open and view the Word document, or to view a preview of
the document using the Windows Explorer Preview Pane. Since the
latter does not require Word to launch fully, this effectively
becomes a zero-click attack.”