The critical Windows ‘Follina’ zero-day vulnerability is being exploited in phishing attacks on local governments in the United States and government entities throughout Europe, according to Proofpoint.
The phishing campaign uses Rich Text File (RTF) attachments, which will exploit the Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution bug – CVE-2022-30190 – if opened. Exploitation of the vulnerability does not require macros to be enabled. The lures used in the phishing emails advise the recipients about salary increases to encourage them to open the attached document.
In this attack, the attackers exploit the bug to deploy a PowerShell script as the payload. The script checks whether it is running on a virtual machine and, if not, collects extensive system information and steals information from web browsers, mail clients, and file services, and exfiltrates the data to a remote server.
Based on the highly targeted nature of the campaign, the extensive reconnaissance, and data exfiltrated in the attacks, Proofpoint suspects that a state-sponsored threat actor may be behind this campaign. Proofpoint does not say which threat actor is suspected of being behind the attacks, which have targeted fewer than 10 of its customers.
Several threat actors are known to be exploiting the flaw, including the TA413 hacking group, which is linked to China. That group is conducting attacks on the international Tibetan community. Other Chinese threat actors have been exploiting the flaw to deliver password-stealing Trojans, and several other threat actors have been exploiting the flaw for a range of nefarious purposes.
Microsoft has yet to issue a patch to address the flaw, but a free micropatch has been released by 0patch that can be implemented in the interim until an official fix is released. Alternatively, the mitigation recommended by Microsoft is to disable the MSDT URL protocol.