Chinese hackers exploiting a new vulnerability in Microsoft Office

A month after a new vulnerability was discovered in Windows and Windows Server, which Microsoft reportedly snubbed as “not a security related issue,” the tech giant has now publicly acknowledged that the vulnerability was being exploited by Chinese hackers using malicious Microsoft Word documents. 

According to the recent update from threat analysis research from the security company, Proofpoint, the unpatched Microsoft Office zero-day vulnerability to execute malicious code remotely on Windows systems, named as “Follina” has already been exploited by hackers linked to the Chinese government. A zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. 

According to Proofpoint, the Chinese hacking group TA413, a state-affiliated threat actor, is making use of Follina via infected Word Documents and is considered an “advanced persistent threat” — a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorised access to a computer network and remains undetected for an extended period

In general, Chinese hackers have a history of using software security flaws to target Tibetans. A report published by Citizen Lab in 2019 documented how TA413 targeted Tibetan organisations across the world using a malicious Firefox add-on, dubbed FriarFox, that allowed them to steal Gmail and Firefox browser data and deliver malware on infected systems.

In a blog post published on May 29, researcher Kevin Beaumont shared details of the vulnerability. According to him, the vulnerability "allows a maliciously crafted Word document load HTML files from a remote webserver and then execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool (MSDT), a program that usually collects information about crashes and other problems with Microsoft applications". 

According to Microsoft’s own security response blog, an attacker can exploit the vulnerability by installing programs, accessing, modifying, or deleting data, and even creating new user accounts on a compromised system. So far, Microsoft has not issued an official patch but offered guidance on the vulnerability that involves manually disabling the URL loading feature of the MSDT tool.