A newly discovered vulnerability in Microsoft Office is already being exploited by hackers linked to the Chinese government, according to threat analysis research from security firm Proofpoint.
Details shared by Proofpoint on Twitter suggest that a hacking group labeled TA413 was using the vulnerability (named “Follina” by researchers) in malicious Word documents purported to be sent from the Central Tibetan Administration, the Tibetan government in exile based in Dharamsala, India. The TA413 group is an APT, or “advanced persistent threat,” actor believed to be linked to the Chinese government and has previously been observed targeting the Tibetan exile community.
In general, Chinese hackers have a history of using software security flaws to target Tibetans. A report published by Citizen Lab in 2019 documented extensive targeting of Tibetan political figures with spyware, including through Android browser exploits and malicious links sent through WhatsApp. Browser extensions have also been weaponized for the purpose, with previous analysis from Proofpoint uncovering the use of a malicious Firefox add-on to spy on Tibetan activists.
The Microsoft Word vulnerability first began to receive widespread attention on May 27th, when a security research group known as Nao Sec took to Twitter to discuss a sample submitted to the online malware scanning service VirusTotal. Nao Sec’s tweet flagged the malicious code as being delivered through Microsoft Word documents, which were ultimately used to execute commands through PowerShell, a powerful system administration tool for Windows.
In a blog post published on May 29th, researcher Kevin Beaumont shared further details of the vulnerability. Per Beaumont’s analysis, the vulnerability let a maliciously crafted Word document load HTML files from a remote webserver and then execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool (MSDT), a program that usually collects information about crashes and other problems with Microsoft applications.
According to Microsoft’s own security response blog, an attacker able to exploit the vulnerability could install programs, access, modify, or delete data, and even create new user accounts on a compromised system. So far, Microsoft has not issued an official patch but offered mitigation measures for the vulnerability that involve manually disabling the URL loading feature of the MSDT tool.
Due to the widespread use of Microsoft Office and related products, the potential attack surface for the vulnerability is large. Current analysis suggests that Follina affects Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365; and, as of Tuesday, the US Cybersecurity and Infrastructure Security Agency was urging system administrators to implement Microsoft’s guidance for mitigating exploitation.