Chinese Hackers Actively Exploiting Microsoft Office 0-day Follina

Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

The Follina vulnerability was originally discovered after a malicious Microsoft Word document was uploaded on VirusTotal from a Belarus IP address.

On Thursday, May 30th, warned against the probability of a dangerous Microsoft zero-day flaw dubbed Follina being exploited in the wild. According to the latest reports, Chinese hackers have already started using it.

What is Follina?

Follina is a Microsoft Office flaw tracked as CVE-2022-30190. This vulnerability was discovered in May 2022 by researcher Kevin Beaumont in Microsoft Support Diagnostic Tool (MSDT).

According to the researcher, the exploit is activated when the victim opens a malicious document. The Protected View feature, as we know it, is designed to protect users from opening infected files. But, in the case of Follina, the file preview appears in Explorer, and Protected View is not triggered while the exploit is executed.

Threat actors can exploit this vulnerability to gain privilege escalation on a system and gain “god mode” access to the impacted system. Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 were impacted by the flaw.

Chinese APT Group Exploiting Follina

It seems like this newly identified zero-day already has registered its first exploiters. It is suspected that the exploitation of Follina started in April 2022 with Russian and Indian users becoming the prime targets of interview requests, extortions, and other attacks.

The latest information is shared by Proofpoint, which claims that a threat actor identified as TA413 has exploited this flaw in its attacks targeting the Tibetan community. This actor was previously associated with China and had been attacking Tibetan entities for several years.

In one of its attacks in 2021, the group was caught using a malicious Firefox extension to phish Gmail credentials to spy on Tibetan activists. In the latest, the group used Central Tibetan Administration’s Women Empowerment Desk as a lure in the attacks involving Follina.

“TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique.”

Proofpoint researchers on Twitter

Furthermore, the SANS Institute detected a document exploiting Follina to deliver malware. The file was written in Chinese, and its translation read: “Mobile phone room to receive orders – channel quotation – the lowest price on the whole network.”

Chinese Hackers Actively Exploiting Microsoft Office 0-day Follina
Screenshot of a blog post titled “First Exploitation of Follina Seen in the Wild” on the SANS website published by Xavier Mertens, a freelance security consultant based in Belgium

MalwareHunterTeam has also discovered .docx files bearing Chinese filenames and installing infostealers through coolratxyz. The HTML file is full of junk for obfuscation purposes while it contains a script that downloads/executes the payload.

Free Micropatches for the “Follina” by 0Patch

0Patch, a Maribor, Slovenia-based IT security firm has issued free but unofficial micropatches addressing the Follina vulnerability. For more details on “How To” implement these micropatches head to the blog post published by 0Patch’s Mitja Kolsek.

Furthermore, the company has also released a YouTube video demonstrating how its micropatch detects and blocks attempts at exploiting the “Follina” 0day.

Meanwhile, CISA (Cybersecurity and Infrastructure Security Agency) is advising users to follow the “Workaround Guidance” for the Follina vulnerability issued by Microsoft on May 30, 2022.

Microsoft Knew About the Flaw in April!

Interestingly, Microsoft has been aware of the flaw since April, but a patch has not arrived. Reportedly, the tech giant was notified by a Shadow Chaser Group member. It is a team that focuses on APT inspection and detection.

Microsoft claims that the researcher who warned the organization about the flaw didn’t consider it a security-related problem. However, they had already seen a sample being exploited in the wild.

On May 27th, researcher Kevin Beaumont shared details of the vulnerability in his blog post after which the company assigned it a CVE and issued mitigation guidance until the arrival of official patches.

More Microsoft Security News

Related Posts