Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Exploits

Follina Exploit Being Deployed by Chinese APT Group TA413

Kyle by Kyle
June 3, 2022
in Exploits
0
Chinese APT TA413
120
SHARES
1.3k
VIEWS
Share on FacebookShare on Twitter

A Chinese state-sponsored hacking group, given the call sign “TA413”, has been identified using the new Microsoft Office zero-day exploit, Follina, to launch attacks.

You might also like

Plex media server seen exploited in the wild utilizing a 3 year old RCE

New TPM 2.0 exploit attackers to access or overwrite sensitive data

Google reports a rise in ransomware attacks

Microsoft has tagged this Zero-day as a remote code execution flaw within the Microsoft Windows Support Diagnostic Tool (MSDT). The flaw is being tracked under CVE-2022-30190, and it impacts all patched Windows Operating Systems and server platforms.

Crazyman, a Shadow Chaser Group member, is a security researcher who first reported the zero-day at the beginning of April. Microsoft responded to the report by tagging it as “not a security-related issue“, and then closed the report with a remote code execution impact.

Zero-day Exploited in the Wild

The advanced persistent threat (APT) group, TA41, was first discovered by Proofpoint in the first half of 2020 when they observed a large phishing campaign impersonating the World Health Organization’s (WHO) guidance on COVID-19 critical preparedness to deliver a new malware family that researchers have dubbed Sepulcher.

The group has utilized this vulnerability in hacking campaigns against the international Tibetan community.

Proofpoint researchers reported on May 30th that the TA41 threat actors are now using the CVE-2022-30190 exploit to execute malicious PowerShell script via the MSDT protocol with Word documents delivered as ZIP files.

TA413 malicous Word document
An example of TA413’s malicious Word document

“TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique,” Proofpoint tweeted.

“Campaigns impersonate the ‘Women Empowerments Desk’ of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.”

The MalwareHunterTeam on Twitter also discovered the Chinese APT group using DOCx documents with Chinese filenames used to spread and download malicious payloads from the domain http://coolrat[.]xyz/Client.exe.

Follina exploited in the wild
Source of Coolrat with the Follina payload, credits: BleepingComputer

Workaround is Available

Surprise! Considering the magnitude of this exploit and the hundreds of thousands of businesses it may impact, Microsoft has issued new guidance on how to mitigate these attacks “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,”.

“The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

Administrators can block attacks targeting exploit CVE-2022-30190 by disabling the MSDT URL protocol this vulnerability abuses to launch the troubleshooter that can execute code on vulnerable systems.

Security researchers also advise disabling the preview pane in Windows Explorer which is the other attack vector that this exploit impacts. Disabling the preview pane effectively prevents a zero-click exploit to occur which will infect the user without opening the file.

The Cybersecurity & Infrastructure Security Agency (CISA) has urged all system administrators and users to disable the MSDT protocol on all Windows devices following Microsoft’s report of the exploit being actively used in the wild.

The first use of CVE-2022-30190 in the wild was spotted over a month ago utilizing sextortion threats and invitations to Sputnik Radio interviews as luring techniques.

bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/

malpedia.caad.fkie.fraunhofer.de/actor/ta413

Tags: APTchinaMicrosoft Officezero day
Share74Tweet19
Kyle

Kyle

Co-owner, writer, and editor at ZeroSecurity. Security, Blockchain, and SEO enthusiast. "Formal education will make you a living; self-education will make you a fortune."

Recommended For You

Plex media server seen exploited in the wild utilizing a 3 year old RCE

by Kyle
March 11, 2023
0
Plex RCE responsible-for lastpass breach

CISA, the cybersecurity and infrastructure agency, has included a severe remote code execution (RCE) vulnerability in the Plex Media Server, which is nearly three years old, in its...

Read more

New TPM 2.0 exploit attackers to access or overwrite sensitive data

by Paul Anderson
March 5, 2023
0
New TPM 2.0 Exploit

Two buffer overflow vulnerabilities have been discovered in the Trusted Platform Module (TPM) 2.0 specification, which could give cybercriminals unauthorized access to or the ability to overwrite sensitive...

Read more

Google reports a rise in ransomware attacks

by Paul Anderson
July 15, 2022
0
Google reports a rise in ransomware attacks

In the 3rd issue of the recently released, Threat Horizons, Google's Cybersecurity Action Team (GCAT) provides organizations with information about emerging risks and actionable mitigation. Bad actors have...

Read more

Cross-Site Scripting (XSS) attack method steals your browser’s auto-fill credentials

by Christi Rogalski
July 11, 2022 - Updated on February 23, 2023
0
Cross-Site Scripting (XSS) attack method steals your browser’s auto-fill credentials

Cross-site scripting, also known as XSS, attacks rank high on lists of common cybersecurity risks. It is the injection of malicious code into the web application to exploit...

Read more

Citrix exploit CWE-284 allows hackers to reset admin password

by Christi Rogalski
July 8, 2022
0
Citrix CWE-284 CVE-2022-27511 exploit

A critical bug has been identified in the Citrix Application Delivery Management console (ADM) that, if exploited, could lead to a serious security breach including allowing the attackers...

Read more
Next Post
Windows Subsystem for Linux

New Malware Targeting Windows Subsystem for Linux

Related News

Netwire RAT seized by FBI and other worldwide police agencies

Netwire RAT seized by FBI and other worldwide police agencies

March 16, 2023
The Emotet botnet returns and is sending a slew of malicious emails

The Emotet botnet returns and is sending a slew of malicious emails

March 14, 2023
Update-resistant malware infects SonicWall security appliances

Update-resistant malware infects SonicWall security appliances

March 12, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.