Suspected Chinese threat group seen attacking Microsoft Office Follina flaw

Suspected Chinese threat actors have been observed by security researchers attacking the Microsoft Office zero-day flaw 'Follina', which was widely publicised this week.

Researchers at security vendor Proofpoint said in a tweet that the advanced persistent threat group TA413 CN APT has been spotted exploiting the Follina bug (CVE-2022-30190) to deliver ZIP archives containing infected Word Documents.

"Campaigns impersonate the "Women Empowerments Desk" of the Central Tibetan Administration and use the domain tibet-gov.web[.]app," the tweet went on.

First seen in 2019, TA413 is believed to be affiliated with the Chinese Government. In 2020 it was observed to be using Covid-based phishing lures to carry out espionage campaigns against European diplomatic and legislative bodies, non-profit policy research organisations and global organisations dealing with economic affairs. It has also focused on the Tibetan diaspora and dissidents, distributing malware such as ExileRAT.

Another attempt at exploiting the vulnerability was reported by the SANS Internet Storm Center, where researchers received an infected document uploaded from Ireland but with a filename in Chinese characters. Translated, the filename read 'Mobile phone room to receive orders - channel quotation - the lowest price on the whole network.docx'

The Follina zero day flaw allows attackers to execute arbitrary code via the Microsoft Support Diagnostic Tool (MSDT). All it takes to exploit the vulnerability is for a victim to open an infected Word document. An attack is possible even when macros are turned off, and there is no patch as yet.

As a mitigating measure against the threat, Microsoft recommends disabling MSDT URL.

"Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters."