Recently, security researchers issued a warning regarding a Microsoft zero day vulnerability being exploited in the wild. Right after the disclosure, threat actors swarmed in to exploit it. Moreover, there was no patch for it for quite some time.
Chinese APT hacking
Chinese APT group TA413 exploited Follina (CVE-2022-30190) in attacks against the international Tibetan community by using the tibet-gov[.]web[.]app domain.
- They abused the vulnerability to run malicious code using the MSDT protocol.
- The campaigns impersonated the Women Empowerments Desk of the Central Tibetan Administration.
- Additionally, another security researcher spotted DOCX documents with Chinese filenames being used to deliver malicious payloads detected as password-stealing trojans through http://coolrat[.]xyz.
Qbot ransomware attack
- The Windows zero day vulnerability was also exploited in phishing campaigns that attempted to deliver the Qbot ransomware.
- The attacks were launched by a Qbot affiliate - TA570.
- The threat actor leveraged malicious MS Office .docx files to exploit Follina.
Patch released
In its Patch Tuesday, Microsoft released a fix for the high-severity zero day vulnerability. It is suggested that organizations diligently deploy the patch to be fully secure. Furthermore, there are other workarounds such as disabling the MSDT URL protocol and implementing Defender ASR rules to block Office apps from creating child processes. Microsoft announced to encourage users to switch to Windows Autopatch from July onwards, which will streamline the product update process for Windows 10 and 11 users.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_330082574.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_226388362.jpg)
