{"id":38769,"date":"2022-06-06T12:16:02","date_gmt":"2022-06-06T12:16:02","guid":{"rendered":"https:\/\/harchi90.com\/state-backed-hackers-exploit-microsoft-follina-bug-to-target-entities-in-europe-and-us\/"},"modified":"2022-06-06T12:16:02","modified_gmt":"2022-06-06T12:16:02","slug":"state-backed-hackers-exploit-microsoft-follina-bug-to-target-entities-in-europe-and-us","status":"publish","type":"post","link":"https:\/\/harchi90.com\/state-backed-hackers-exploit-microsoft-follina-bug-to-target-entities-in-europe-and-us\/","title":{"rendered":"State-Backed Hackers Exploit Microsoft ‘Follina’ Bug to Target Entities in Europe and US"},"content":{"rendered":"\n
\n
<\/div>\n

A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office “Follina” vulnerability to target government entities in Europe and the US<\/p>\n

Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked CVE-2022-30190 (CVSS score: 7.8). No less than 1,000 phishing messages containing a lure document were sent to the targets.<\/p>\n

“This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253, “the company said<\/a> in a series of tweets.<\/p>\n

\"CyberSecurity\"<\/center><\/div>\n

The payload, which manifests in the form of a PowerShell script, is Base64-encoded and functions as a downloader to retrieve a second PowerShell script from a remote server named “seller-notification[.]live. “<\/p>\n

“This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil[tration] to 45.77.156[.]179, “the company added.<\/p>\n

\"\"<\/div>\n

The phishing campaign has not been linked to a previously known group, but said it was mounted by a nation-state actor based on the specificity of the targeting and the PowerShell payload’s wide-ranging reconnaissance capabilities.<\/p>\n

The development follows active exploitation attempts by a Chinese threat actor tracked as TA413 to deliver weaponized ZIP archives with malware-rigged Microsoft Word documents.<\/p>\n

\"CyberSecurity\"<\/center><\/div>\n

The Follina vulnerability, which leverages the “ms-msdt:” protocol URI scheme to remotely take control of target devices, remains unpatched, with Microsoft urging customers to disable the protocol to prevent the attack vector.<\/p>\n

In the absence of a security update, 0patch has released an unofficial fix to block ongoing attacks against Windows systems that target the Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability.<\/p>\n

“It doesn’t matter which version of Office you have installed, or if you have Office installed at all: the vulnerability could also be exploited through other attack vectors<\/a>“0patch’s Mitja Kolsek said.<\/p>\n

“Proofpoint continues to see targeted attacks leveraging CVE-2022-30190,” Sherrod DeGrippo, vice president of threat research, said in a statement shared with The Hacker News.<\/p>\n

“The extensive reconnaissance conducted by the second PowerShell script demonstrates an actor interested in a large variety of software on a target’s computer. This, coupled with the tight targeting of European government and local US governments, led us to suspect this campaign has a state aligned nexus. “<\/p>\n

<\/p>\n<\/div>\n