Introduction
In the ever-evolving landscape of cybersecurity threats, a new and critical vulnerability in Microsoft Office has emerged, opening the door to potential exploitation by Chinese state-affiliated hackers. This article delves into the details of the Follina zero-day flaw, its exploitation by the threat actor TA413 CN APT, and the implications for users of Microsoft Office across various Windows versions.
The Follina Zero-Day Exploitation
TA413 CN APT's Tactics
The advanced persistent threat group TA413 CN APT has been quick to capitalize on the Follina zero-day vulnerability. According to reports from enterprise security firm Proofpoint, TA413 has been observed employing URLs to deliver ZIP archives containing Word Documents that leverage the Follina technique. Notably, these campaigns masquerade as the 'Women Empowerments Desk' of the Central Tibetan Administration, utilizing the domain tibet-gov.web[.]app.
Follina: CVE-2022-30190
The Follina zero-day vulnerability, officially tracked as CVE-2022-30190, poses a high-severity risk with a CVSS score of 7.8. This security flaw enables remote code execution by exploiting the "ms-msdt:" protocol URI scheme. The attack allows threat actors to bypass Protected View safeguards for suspicious files, converting the document to a Rich Text Format (RTF) file. This manipulation facilitates the execution of injected code without opening the document via the Preview Pane in Windows File Explorer.
Timeline of Exploitation
Despite gaining widespread attention recently, evidence suggests that the Follina flaw has been actively exploited in real-world attacks for over a month. Russian users were targeted as early as April 12, 2022. Astonishingly, when the vulnerability was reported to Microsoft, the company dismissed it as a non-security issue. Microsoft's response cited the requirement of a passkey from a support technician for the MSDT utility to execute payloads.
Vulnerable Systems and Workarounds
The Follina vulnerability affects all currently supported Windows versions and is exploitable in Microsoft Office versions ranging from Office 2013 through Office 2021, including Office Professional Plus editions. In the absence of an official patch, Microsoft has recommended disabling the MSDT URL protocol as a preventive measure. Additionally, users are advised to turn off the Preview Pane in File Explorer.
The Unique Nature of the Follina Exploit
Malwarebytes' Jerome Segura highlighted the sophistication of the Follina exploit, describing it as an "elegant attack" designed to circumvent security measures. Unlike many exploits, Follina doesn't rely on Office macros, making it effective even in environments where macros are disabled. Nikolas Cemerikic of Immersive Labs emphasized that the exploit operates seamlessly with a mere user interaction—either opening and viewing the Word document or previewing it using the Windows Explorer Preview Pane. This zero-click characteristic adds a new dimension to the severity of the attack.
Conclusion
The Follina zero-day vulnerability presents a significant threat to Microsoft Office users, and its active exploitation by a state-affiliated threat actor raises concerns about the security of sensitive information. As users await an official patch, implementing the recommended workarounds becomes crucial to mitigating the risk. The incident underscores the ongoing challenges faced by cybersecurity professionals in staying ahead of relentless and sophisticated adversaries in the digital realm. Stay informed, stay vigilant, and prioritize the security of your digital assets in the face of evolving cyber threats.
0 Comments