Microsoft Office Zero-Day Exploited in Active Attacks, Chinese APT TA413 Leverages Zero Day in Operations

Researchers have uncovered a new zero-day vulnerability in Microsoft Office that is now being exploited to execute malicious PowerShell commands via Microsoft Diagnostic Tool (MSDT) simply by opening a Word document. The ‘Follina’ vulnerability (CVE-2022-30190) is exploited using malicious Word documents that execute PowerShell commands through the MSDT. Microsoft has disclosed countermeasures to prevent attacks that exploit the recently found zero-day vulnerability in Microsoft Office. The flaw is a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT). The issue affects all versions of Windows still receiving security updates. Online Proof-of-Concept code to exploit the Follina vulnerability has been incorporated into standard exploitation frameworks and tools. The vulnerability can be exploited even if Microsoft Office macros are disabled. When opening or previewing Word documents, the vulnerability is being exploited by threat actors to execute malicious PowerShell instructions via MSDT in what Microsoft refers to as Arbitrary Code Execution (ACE) attacks. A successful exploit of this issue allows an attacker to execute arbitrary code with the privileges of the calling application. The attacker can then instal programs, read, modify, or delete data, and create new accounts based on the user’s rights. This new Follina zero-day vulnerability introduces a new critical attack vector that leverages Microsoft Office programs, as it works without elevated privileges, avoids Windows Defender detection, and does not require macro code to be enabled to execute binaries and scripts. According to researchers, depending on the payload, an attacker could use this vulnerability to get access to remote locations on the victim’s network. This would allow an attacker to collect password hashes for Windows machines that are useful for post-exploitation activities. The TA413 APT group, a Chinese government-affiliated hacking gang, has exploited this vulnerability to launch attacks against their prefered target, the international Tibetan community. As discovered by security researchers on 30 May, TA413 is now exploiting CVE-2022-30190 to execute malicious code via the MSDT protocol when targets read or preview Word documents provided in ZIP packages. As a workaround, researchers advise administrators and users to disable the MSDT URL protocol, which malicious actors employ to run troubleshooters and execute code on susceptible systems, to prevent attacks utilising CVE-2022-30190. It is also advised to disable the Preview pane in Windows Explorer to also remove this attack vector. Microsoft Defender Antivirus versions 1.367.719.0 and later include detections for potential vulnerability exploitation under various signatures.