China-backed Hackers Are Exploiting Microsoft Office To Target Tibetans

China-backed Hackers Are Exploiting Microsoft Office To Target Tibetans

A flaw that was recently discovered within Microsoft Office is already being exploited by hackers connected to Chinese government, as per the threat analysis study conducted by Security firm Proofpoint.

Information shared by Proofpoint on Twitter indicates that a hacking organization tagged as “TA413” was exploiting vulnerabilities (named “Follina”) within malicious Word documents that claimed to be delivered by the Central Tibetan Administration.

It’s believed that the TA413 team is an APT, which means an “advanced persistent threat” group believed to be connected to the Chinese government. The group was also identified earlier for targeting the Tibetan exile community.

The consensus is that Chinese cybercriminals have a tradition of exploiting security vulnerabilities in software to target Tibetans. A report by Citizen Lab in 2019 documented the extensive targeting of Tibetan political figures using spyware, for example, via Android browser exploits and malicious links that are sent via WhatsApp.

Browser extensions are also being used for this purpose and previous studies by Proofpoint reveal the use of malicious Firefox add-on that allows for the surveillance of Tibetan activists.

This Microsoft Word vulnerability first began to garner attention on May 27 when a security researcher group called Nao Sec took to Twitter to discuss a vulnerability found using VirusTotal tool. Nao Sec’s tweet highlighted that the malware was distributed via Microsoft Word documents, which could be executed using PowerShell, a powerful tool for managing the system on Windows.

In a blog post that was published on May 29, security researcher Kevin Beaumont shared further details of the vulnerability. Based on Beaumont’s analysis, this vulnerability allowed maliciously created Word documents to download HTML files via a remote server and execute PowerShell commands by hijacking Microsoft Support Diagnostic Tool (MSDT), the software that normally collects information about crashes and other issues in Microsoft applications.

Microsoft has officially acknowledged the vulnerability and named it as CVE-2022-30190. There are reports of earlier attempts to inform Microsoft of the same vulnerability that was rejected.

According to Microsoft’s Security Response blog, an attacker able to exploit the flaw could also access, modify or delete the information or even create user accounts on compromised systems. To date, Microsoft has not issued an official patch but has offered mitigation measures that require manually disabling the URL loading function of MSDT.

Due to the extensive usage of Microsoft Office and related products, the attack surface for this vulnerability is very high. Recent research suggests Follina is a vulnerability that impacts Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365. On Tuesday, it was reported that the US Cybersecurity and Infrastructure Security Agency has been insisting that system administrators implement Microsoft’s guidelines for preventing vulnerability.

Related Valuable Stories:

• Microsoft: “Follina” Will Affect All Currently Supported Windows Versions

• Telegrams Blogging Platform Telegraph Is Being Exploited By Phishing Scammers

• Windows Subsystem For Linux Virus Steals Browser Auth Cookies

• Google Has Banned the Training of Deepfakes in Colab, See Why?

• Beware, Hackers Using MMI Trick To Steal WhatsApp Accounts