There is a newly discovered security vulnerability in Microsoft Office, and the vulnerability is being exploited by hackers linked to the Chinese Government.
According to a report from the cybersecurity company Proofpoint, the hacker gang that exploited this vulnerability was named TA413, and exploited the vulnerability named Follina.
They discovered the exploitation of this loophole from a Word document destined for the Central Tibetan Administration, the Tibetan government body in exile in Dharamsala, India.
TA413 itself is an actor who spreads APT, or advanced persistent threat, and is believed to be an extension of the Chinese government, which previously targeted the exiled Tibetan community.
Historically, Chinese hackers have often used security holes in popular software to target Tibet. A report published by Citizen Lab in 2019 revealed their various actions in using spyware to target Tibetan political figures, including through the Android browser and malware links distributed via WhatsApp.
They also use browser extensions that are already armed with malware for this purpose. Previous reports from Proofpoint revealed that hackers were using a Firefox add-on containing malware to target Tibetan activists.
This Microsoft Word security vulnerability was first revealed on May 27, when a security researcher named Nao Sec discussed the malware from a sample submitted for research at VirusTotal.
Nao Sec flags malicious code sent via Word documents, which is then used to execute commands via PowerShell, which is a powerful system administration tool for Windows.
Then in a blog post posted on May 29, Kevin Beaumont who is also a security researcher, discusses the vulnerability further. In his analysis, the vulnerability allows modified Word documents to infiltrate HTML files from a remote webserver, and execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool (MSDT).
MSDT is a program that is used to collect information when software crashes or other problems related to software made by Microsoft, as quoted from The Verge, Friday (3/6/2022).
Microsoft has now acknowledged the existence of the loophole, and coded it CVE-2022-30190. In his blog post, Microsoft said this loophole allows hackers to install programs, access, modify, and delete data, and can even create new user accounts on the victim's system.
So far Microsoft has not released a fix to patch this loophole. They only provide an emergency method, namely by turning off the URL loading feature manually in the MSDT feature.
Oh yes, this Follina gap is in the following series of versions of Microsoft Office
Microsoft Office 2013
Microsoft Office 2016
Microsoft Office 2019
Microsoft Office 2021
Microsoft Office ProPlus
Microsoft Office 365