China-linked hackers are exploiting a new vulnerability in Microsoft Office - The Verge
Hackers linked to the Chinese government are believed to be exploiting the newly discovered Follina vulnerability in Microsoft Office, which lets attackers execute remote code on Windows systems.
A newly discovered vulnerability in Microsoft Office is already being exploited by hackers linked to the Chinese government, according to threat analysis research from security firm Proofpoint.
Details shared by Proofpoint on Twitter suggest that a hacking group labeled TA413 was using the vulnerability (named “Follina” by researchers) in malicious Word documents purported to be sent from the Central Tibetan Administration, the Tibetan government in exile based in Dharamsala, India. The TA413 group is an APT, or “advanced persistent threat,” actor believed to be linked to the Chinese government and has previously been observed targeting the Tibetan exile community.
In general, Chinese hackers have a history of using software security flaws to target Tibetans. A report published by Citizen Lab in 2019 documented extensive targeting of Tibetan political figures with spyware, including through Android browser exploits and malicious links sent through WhatsApp. Browser extensions have also been weaponized for the purpose, with previous analysis from Proofpoint uncovering the use of a malicious Firefox add-on to spy on Tibetan activists.
The Microsoft Word vulnerability first began to receive widespread attention on May 27th, when a security research group known as Nao Sec took to Twitter to discuss a sample submitted to the online malware scanning service VirusTotal. Nao Sec’s tweet flagged the malicious code as being delivered through Microsoft Word documents, which were ultimately used to execute commands through PowerShell, a powerful system administration tool for Windows.
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
Rating: 5