Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Exploits

Follina Exploit Being Deployed by Chinese APT Group TA413

Kyle by Kyle
June 3, 2022
in Exploits
0
Chinese APT TA413
119
SHARES
1.3k
VIEWS
Share on FacebookShare on Twitter

A Chinese state-sponsored hacking group, given the call sign “TA413”, has been identified using the new Microsoft Office zero-day exploit, Follina, to launch attacks.

You might also like

Microsoft Office Zero-day “Follina” Allows Attackers to Execute PowerShell Scripts

Flash Zero-day exploited in the wild – CVE-2016-4171

Firefox 47 update fixes 13 vulnerabilities

Microsoft has tagged this Zero-day as a remote code execution flaw within the Microsoft Windows Support Diagnostic Tool (MSDT). The flaw is being tracked under CVE-2022-30190, and it impacts all patched Windows Operating Systems and server platforms.

Crazyman, a Shadow Chaser Group member, is a security researcher who first reported the zero-day at the beginning of April. Microsoft responded to the report by tagging it as “not a security-related issue“, and then closed the report with a remote code execution impact.

Zero-day Exploited in the Wild

The advanced persistent threat (APT) group, TA41, was first discovered by Proofpoint in the first half of 2020 when they observed a large phishing campaign impersonating the World Health Organization’s (WHO) guidance on COVID-19 critical preparedness to deliver a new malware family that researchers have dubbed Sepulcher.

The group has utilized this vulnerability in hacking campaigns against the international Tibetan community.

Proofpoint researchers reported on May 30th that the TA41 threat actors are now using the CVE-2022-30190 exploit to execute malicious PowerShell script via the MSDT protocol with Word documents delivered as ZIP files.

TA413 malicous Word document
An example of TA413’s malicious Word document

“TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique,” Proofpoint tweeted.

“Campaigns impersonate the ‘Women Empowerments Desk’ of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.”

The MalwareHunterTeam on Twitter also discovered the Chinese APT group using DOCx documents with Chinese filenames used to spread and download malicious payloads from the domain http://coolrat[.]xyz/Client.exe.

Follina exploited in the wild
Source of Coolrat with the Follina payload, credits: BleepingComputer

Workaround is Available

Surprise! Considering the magnitude of this exploit and the hundreds of thousands of businesses it may impact, Microsoft has issued new guidance on how to mitigate these attacks “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,”.

“The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

Administrators can block attacks targeting exploit CVE-2022-30190 by disabling the MSDT URL protocol this vulnerability abuses to launch the troubleshooter that can execute code on vulnerable systems.

Security researchers also advise disabling the preview pane in Windows Explorer which is the other attack vector that this exploit impacts. Disabling the preview pane effectively prevents a zero-click exploit to occur which will infect the user without opening the file.

The Cybersecurity & Infrastructure Security Agency (CISA) has urged all system administrators and users to disable the MSDT protocol on all Windows devices following Microsoft’s report of the exploit being actively used in the wild.

The first use of CVE-2022-30190 in the wild was spotted over a month ago utilizing sextortion threats and invitations to Sputnik Radio interviews as luring techniques.

bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/

malpedia.caad.fkie.fraunhofer.de/actor/ta413

Tags: APTchinaMicrosoft Officezero day
Share74Tweet19
Kyle

Kyle

Co-owner, writer, and editor at ZeroSecurity. Security, Blockchain, and SEO enthusiast. "Formal education will make you a living; self-education will make you a fortune."

Recommended For You

Microsoft Office Zero-day “Follina” Allows Attackers to Execute PowerShell Scripts

by Kyle
May 31, 2022 - Updated on June 2, 2022
0
Microsoft Office zero-day exploit CVE-2022-30190

Researchers have discovered a new Microsoft Office zero-day vulnerability that is being used to carry out attacks in the wild. The zero-day has been dubbed Follina. The attacks...

Read more

Flash Zero-day exploited in the wild – CVE-2016-4171

by Kyle
June 15, 2016
0
CVE-2016-4171 flash zero-day

Another Adobe Flash Player zero-day has been found being exploited in “limited, targeted attacks”. Adobe has stated it will be patched later this week. The vulnerability, CVE-2016-4171 (CVE)...

Read more

Firefox 47 update fixes 13 vulnerabilities

by Kyle
June 14, 2016
0
Firefox 47 update fixes 13 vulnerabilities

In the most recent Firefox update pushed by Mozilla, two critical vulnerabilities were patched. The patch included a fix for a buffer overflow and a set of memory...

Read more

Over 10 million systems found exploitable

by Kyle
June 9, 2016
0
Rapid7 Project sonar

Around 10 million systems globally have their databases at risk and countless nodes leave telnet, printer, and other ports open, based on new info from Rapid7’s Project Sonar....

Read more

Exploit found in Uber earns researcher $10k

by Kyle
June 8, 2016
0
Uber exploit found, $10k rewarded

Rideshare company and mobile app, Uber, fixed a vulnerability within its website that could have allowed a hacker to log into a few “.uber.com” subdomains with a non existant-password...

Read more
Next Post
Windows Subsystem for Linux

New Malware Targeting Windows Subsystem for Linux

Related News

Google Chrome Extension fingerprinting source

Google Chrome exposes user extensions to fingerprinting

July 1, 2022
Downthem DDoS Service owner sentenced

Downthem DDoS service owner gets a 2-year prison sentence

June 30, 2022
Cloudflare record breaking DDoS

Cloudflare Stops Record-Breaking DDoS

June 29, 2022
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
    • Tools
  • Data Breaches
  • Malware
  • Privacy
  • Contact Us

© 2022 ZeroSecurity, All Rights Reserved.