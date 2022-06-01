ContributorsPublishersAdvertisers
Software

This dangerous Microsoft Office zero-day is now being exploited in the wild

By Sead Fadilpašić
TechRadar
TechRadar
 3 days ago
https://img.particlenews.com/image.php?url=3UelND_0fwne4dw00
(Image credit: Pixabay)

The Microsoft Office "Follina" zero-day vulnerability may have its first official adopters, and first victims, experts have revealed.

Cybersecurity researchers from Proofpoint have discovered that a Chinese state-sponsored threat actor known as TA413 has been targeting the international Tibetan community using the flaw.

"TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique," Proofpoint noted.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

Installing infostealers

"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app."

Uncovered earlier in May 2022, Follina leverages a Windows utility called msdt.exe, designed to run different troubleshooter packs on Windows. To run it, the attackers would send out a weaponized .docx file, capable of having MSDT run code even when in preview mode.

By abusing this utility, the attackers are able to tell the target endpoint (opens in new tab)to call an HTML file, from a remote URL. The attackers have chosen the xmlformats[.]com domain, probably trying to hide behind the similar-looking, albeit legitimate, openxmlformats.org domain used in most Word documents, the researchers are suggesting.

MalwareHunterTeam also found .docx files with Chinese filenames installing infostealers via http://coolrat[.]xyz. The HTML file holds plenty of “junk”, which obfuscates its true purpose - a script that downloads and executes a payload. The flaw, tracked as CVE-2022-30190, impacts all Windows client and server platforms still receiving security updates.

Following the publication of the findings, Microsoft has acknowledged the threat, saying a remote code execution vulnerability exists “when MSDT is called using the URL protocol from a calling application such as Word.”

“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

While some antivirus software are already capable of spotting this attack, Micorosft has also released a mitigation method, which includes disabling the MSDT URL protocol. This will prevent troubleshooters from being launched as links, but they can still be accessed using the Get Help application, and in system settings. To activate this workaround, admins need to do the following:

Run Command Prompt as Administrator.

To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“

Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

Via: BleepingComputer (opens in new tab)

https://img.particlenews.com/image.php?url=3pe8ik_0fwne4dw00

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Comments / 0

Related
TechRadar

Serious security bugs put millions of Android devices at risk

A couple of high-severity vulnerabilities were recently discovered in a mobile framework serving the Android (opens in new tab) operating systems, putting millions of people at risk. The Microsoft 365 Defender Research Team, which discovered the flaws in September last year, says they could have been used to launch serious...
CELL PHONES
TechRadar

Samsung killed the perfect smartphone for remote work with a dumb move

Back in 2017, Samsung introduced a feature called Dex which transformed your Android smartphone into a fully fledged desktop PC complete with mouse and keyboard support. It was - for many users - a life changer and provided with a compelling alternative to other desktop OS like Windows, Ubuntu or MacOS.
CELL PHONES
IN THIS ARTICLE
#Microsoft Office#Zero Day#Al Jazeera Balkans#The Microsoft Office#Cybersecurity#Chinese#Tibetan#Itw#Zip Archives#Hacker#Post Covid#Msdt Exe#Msdt#Html
YOU MAY ALSO LIKE
NewsBreak
Microsoft
NewsBreak
Data Security
NewsBreak
Technology
NewsBreak
Computers
NewsBreak
Software
shefinds

This iPhone App Is Ruining Your Battery! Experts Say It’s Time To Delete It

When you think about battery-hogging apps that you probably already have downloaded on your iPhone, is Facebook the first and only app to pop into your head? You aren’t wrong about that one — you’d be hard pressed to find a tech expert who doesn’t recommend deleting the Facebook app and, if you miss the services it provides, accessing the site in your browser instead. But Facebook isn’t the only app that is causing your battery to dwindle down to nothing fast. Some of the most helpful apps can do a number on your device’s power. This iPhone app is ruining your battery — and experts say it’s time to delete it.
CELL PHONES
Fortune

Australian billionaire slams Elon Musk’s return to work order right as his $48 billion firm discloses a huge security flaw

Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations. Australian tech billionaire Scott Farquhar started a war of words with Tesla CEO Elon Musk over the latter’s return-to-work policies. But a Twitter feud with Musk might need to wait, as Farquhar’s $48 billion software company is dealing with a serious hacker problem.
ECONOMY
CNET

Please, Clear Your Android Phone's Cookies and Cache

Whether you have a Google Pixel 6, Samsung Galaxy S22 or another Android smartphone, your browser collects and stores data every time you surf the web. This data makes up your cookies and cache, and it can often be helpful. It keeps you logged into your accounts and loads frequently visited sites faster, for example.
CELL PHONES
GeekyGadgets

How to record a call on an Android Phone

This guide is designed to show you how to record a call on your Android Phone, this is something that can be useful, when you record a call you should make sure that it is done legally. It should be made clear that you should not record a call or...
CELL PHONES
TechRadar

TechRadar

38K+
Followers
42K+
Post
4M+
Views
ABOUT

Its mix of genuine and reliable advice alongside entertaining and fun to read editorial content is why millions of people trust TechRadar to give them tech advice on everything from the latest smartphone releases to the best in digital cameras.

 http://www.techradar.com

Comments / 0

Community Policy