The recently discovered zero-day vulnerability in Microsoft Office called ‘Follina’, which Microsoft is tracking as CVE-2022-30190, is now being actively exploited by the TA413 APT group, linked to the Chinese state.
The vulnerability is a remote code execution flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) and impacts all Windows client and server platforms still receiving security updates, that is, Windows 7 or later and Windows Server 2008 or later.
The bug was first reported to Microsoft on April 12 as a zero-day by researchers from the Shadow Chaser group. However, a response from Microsoft stated that it’s not a security issue as MSDT required a password before it could execute payloads and because Microsoft’s team couldn’t replicate the issue.
However, Microsoft went back and did acknowledge the vulnerability as critical on Monday, warning users that the flaw can be, and is already being, exploited to install malware remotely without triggering any detection from Windows Defender or Microsoft Office’s protected view.
Exploits are already running in the wild
The group in question running these exploits is the TA413 APT group mentioned above, associated with Chinese State hacking activity. The vulnerability has been adopted to attack the international Tibetan community, as reported by security researchers at Proofpoint.
The group is running a campaign impersonating the Women Empowerment Desk of the Central Tibetan Administration using the tibet-gov.web.app domain sending malicious word documents to targets in ZIP archives.
The exploitation by the Chinese was further confirmed by security researchers at MalwareHunterTeams, who also caught Word documents containing Chinese filenames being used to install password-stealing trojans.
While Microsoft hasn’t patched the vulnerability yet, some mitigations can protect users from being exploited. Firstly, Microsoft suggests disabling the MSDT URL protocol by running the following commands in a Command Prompt window with admin privileges.
reg export HKEY_CLASSES_ROOT\ms-msdt [name for registry export] reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Additionally, since the exploit can also run from the Preview pane in Windows Explorer, It’s recommended to not use previews for any suspicious documents you might receive.