Recently, security researchers issued a warning regarding a Microsoft zero-day vulnerability being exploited in the wild. Right after the disclosure, threat actors swarmed in to exploit it. Moreover, there was no patch for it for quite some time.

Diving into details

  • Referred to as Follina, the flaw is tracked as CVE-2022-30190. It affects multiple Office versions, including Office 2013, Office 2016, Office 2021, and Office Pro Plus. 
  • It works without elevated privileges, bypasses Windows Defender, and runs scripts or binaries without enabling macros. 
  • The vulnerability impacts all Windows versions receiving security updates, including Windows 11. 

Abusing the flaw

  • A phishing campaign was found targeting U.S. local governments and European governments, via malicious RTF documents. The attackers harvested huge troves of information from browsers, such as Chrome, Edge, Firefox, and Opera. 
  • China-based TA413 APT group exploited the flaw to target the international Tibetan community by masquerading as the Women Empowerment Desk of the Central Tibetan Administration. 
  • The flaw was, moreover, abused to propagate the Qbot malware by TA570. The group hijacked email threads with HTML attachments. 
  • The CERT-UA warned against the Russian Sandworm APT allegedly exploiting Follina, since at least April. The attackers targeted over 500 recipients in Ukrainian media organizations, including newspapers and radio stations. 

Patch is out

In its Patch Tuesday, Microsoft released a fix for the high-severity flaw. It is suggested that organizations diligently deploy the patch to be fully secure. Furthermore, there are other workarounds such as disabling the MSDT URL protocol and implementing Defender ASR rules to block Office apps from creating child processes. Microsoft announced to encourage users to switch to Windows Autopatch from July onwards which will streamline the product update process for Windows 10 and 11 users.
Cyware Publisher