Security News > 2022 > June > State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S
A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S. Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked CVE-2022-30190.
The payload, which manifests in the form of a PowerShell script, is Base64-encoded and functions as a downloader to retrieve a second PowerShell script from a remote server named "Seller-notification[.]live."
The phishing campaign has not been linked to a previously known group, but said it was mounted by a nation-state actor based on the specificity of the targeting and the PowerShell payload's wide-ranging reconnaissance capabilities.
The development follows active exploitation attempts by a Chinese threat actor tracked as TA413 to deliver weaponized ZIP archives with malware-rigged Microsoft Word documents.
The Follina vulnerability, which leverages the "Ms-msdt:" protocol URI scheme to remotely take control of target devices, remains unpatched, with Microsoft urging customers to disable the protocol to prevent the attack vector.
"The extensive reconnaissance conducted by the second PowerShell script demonstrates an actor interested in a large variety of software on a target's computer. This, coupled with the tight targeting of European government and local U.S. governments led us to suspect this campaign has a state aligned nexus."
News URL
https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html
Related news
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables (source)
- Vietnamese Hacker Group Deploys New PXA Stealer Targeting Europe and Asia (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)
- Hackers exploit critical bug in Array Networks SSL VPN products (source)
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-06-01 | CVE-2022-30190 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Microsoft products A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. | 0.0 |