China-backed hackers are exploiting a newly discovered zero-day vulnerability in Microsoft Office, according to a threat analysis research. The vulnerability, which has been called “Follina” by security researchers, allows attackers to execute malicious code on Windows systems through Microsoft Word documents. Microsoft acknowledged the existence of the security loophole shortly after it was brought to notice last week. However, it is yet to be fixed. The Redmond company did not provide any clarity on when exactly it would release a patch for the severe vulnerability.
The threat analysis research conducted by security firm Proofpoint suggests that a hacking group labelled TA413, which is believed to be linked to the Chinese government, was exploiting the zero-day vulnerability through malicious Word documents that appeared to be coming from the Central Tibetan Administration, the Tibetan Government-in-Exile based in Dharamshala, India. The security firm revealed its research on Twitter this week.
Noted as an advanced persistent threat (APT), the hacking group TA413 was also found to be targeting Tibetans around the world in 2020. It runs campaigns impersonating women-focussed groups of the Tibetan exile community.
Proofpoint told TechCrunch that the group is also tracked as “LuckyCat” and “Earth Berberoka”.
Tokyo-based cybersecurity research team Nao_sec brought the latest Microsoft vulnerability — tracked as CVE-2022-30190 — to notice last week. However, it was reported to the software giant in April. A security researcher said that the company at the time, though, refused to consider it as a security issue.
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” the company warned in a blog post while explaining the scope of the issue.
The Follina vulnerability allows attackers to execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool (MSDT). It can be exploited using a Microsoft Word document, which is what the hackers seem to be doing in the latest case.
Various Microsoft products including Office 2013 as well as Office 2021 and some versions of Office 365 are affected by the flaw. Attackers could also target users on both Windows 10 and Windows 11 devices, as per the researchers who have examined the issue.