China-linked hackers are exploiting a new vulnerability
Chinese government-linked hackers are already using a newly found vulnerability in Microsoft Office.
According to information released by Proofpoint on Twitter, a hacking organization known as TA413 was utilizing the vulnerability in malicious Word documents purportedly issued from the Central Tibetan Administration, the Tibetan government in exile based in Dharamsala, India. The TA413 group is an APT, or “advanced persistent threat,” actor previously spotted targeting the Tibetan exile population.
In general, Chinese hackers have a history of targeting Tibetans by exploiting software security holes. Citizen Lab produced a report in 2019 that extensive detailed spyware is targeting Tibetan political officials, including through Android browser exploits and malicious links transmitted via WhatsApp. Browser extensions have also been weaponized, with Proofpoint previously discovering the deployment of a malicious Firefox add-on to eavesdrop on Tibetan activists.
Microsoft has now formally accepted the vulnerability, dubbed CVE-2022-30190, while there are claims that previous attempts to alert Microsoft of the same flaw rejected.
On May 27th, a security research group known as Nao Sec took to Twitter to discuss a sample given to the web malware scanning service VirusTotal. The Microsoft Word vulnerability first gained significant attention. According to Nao Sec’s tweet, the malicious code sent using Microsoft Word documents, which were then used to execute instructions via PowerShell, a sophisticated system management tool for Windows.
According to Microsoft’s security response blog, an attacker who exploits the vulnerability could install programs, access, change, or delete data, and even establish new user accounts on a compromised system. So yet, Microsoft has not produced an official patch but has provided mitigating steps for the vulnerability, including manually disabling the MSDT tool’s URL loading feature. The potential attack surface for the exposure is extensive due to the widespread use of Microsoft Office and related products.