China-backed hackers, who have previously been observed targeting the Tibetan government-in-exile in Dharamshala, are actively exploiting a bug in Microsoft Office to steal and delete users’ data.
According to cyber-security firm Proofpoint, the newly discovered vulnerability in Microsoft Office known as ‘Follina’ is being exploited by the Chinese government-linked advanced persistent threat (APT) group ‘TA413.’
“TA413 CN APT spotted ITW exploiting the #Follina #0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the “Women Empowerments Desk” of the Central Tibetan Administration,” Proofpoint said in a tweet.
Chinese hackers have a long history of targeting Tibetans by exploiting software security flaws.
Microsoft has acknowledged the vulnerability, dubbed CVE-2022-30190, in the Microsoft Support Diagnostic Tool (MSDT) in Windows, but has yet to issue a security patch.
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programmes, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” Microsoft said in an update.
Kevin Beaumont, a cyber-security researcher, also detailed the new vulnerability in a blog post.
The Verge reports that current research indicates that ‘Follina’ affects Microsoft Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365.
The US Cybersecurity and Infrastructure Security Agency has also requested that system administrators follow Microsoft’s exploitation mitigation guidance.
“Customers with Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats,” said Microsoft.