Follina Exploited by State-Sponsored Hackers

  • A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. government targets.

    Researchers have added state-sponsored hackers to the list of adversaries attempting to exploit Microsoft’s now-patched Follina vulnerability. According to researchers at Proofpoint, state-sponsored hackers have attempted to abuse the Follina vulnerability in Microsoft Office, aiming an email-based exploit at U.S. and E.U. government targets via phishing campaigns.

    Proofpoint researchers spotted the attacks and believe the adversaries have ties to a government, which it did not identify. Attacks consist of campaigns targeting victims U.S. and E.U. government workers. Malicious emails contain fake recruitment pitches promising a 20 percent boost in salaries and entice recipients to download an accompanying attachment.

    The text states, “You’ll be getting a [20%]sic increase in your salary.” The message prompts recipients to open an attached document “before this weekend” to learn more.

    In a Twitter-based statement, Sherrod DeGrippo, vice president of threat research at Proofpoint, said about 10 Proofpoint customers had received over 1,000 such messages.

    The malicious attachment targets the remote code execution bug CVE-2022-30190, dubbed Follina.

    Discovered last month, the flaw exploits the Microsoft Windows Support Diagnostic Tool. As Microsoft explained in a blog post, the bug “exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.”

    State-sponsored abuse of the flaw is just the latest in a string of Follina-related attacks.

    If successfully exploited, attackers can use the Follina flaw to install programs, view, change or delete data, or create new accounts in the context allowed by the user’s rights, the company said.

    “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” Microsoft explained in its guidance on the Microsoft Security Response Center. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.”

    Microsoft’s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from Shadow Chaser Group noticed it on April 12 and patched by Microsoft in May.

    Proofpoint says the malicious file used in the recruitment phishing campaigns, if downloaded, executes a script that can ultimately check for virtualized environment to abuse and “steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil.”

    Proofpoint explained in a tweet, “The extensive reconnaissance conducted by [a] second Powershell script demonstrated an actor interested in a large variety of software on a target’s computer.” It is that behavior that raised concerns that the campaign had ties to a “state aligned nexus,” researchers noted.