A Windows zero-day vulnerability known as Follina has attacked US local governments and European governments.
A suspected state-backed cyberattack exploited the Microsoft Office "Follina" vulnerability to target European and U.S. government organizations.
With the ongoing COVID-19 pandemic and the geopolitical conflict in eastern Europe, hacking has become increasingly rampant nowadays as malicious actors try to cope with ransomware.
This time, even the government has become severely affected.
Hacking in the U.S. Government
Local governments in the United States were the targets of a phishing campaign that exploited a severe zero-day vulnerability in Microsoft Windows by utilizing malicious Rich Text Format (RTF) documents. These papers were designed to exploit the vulnerability.
According to The Hacker News, Proofpoint, a company that specializes in enterprise security, has stated that it has prevented attempts to exploit the vulnerability known as CVE-2022-30190, which allows remote code execution (CVSS score: 7.8). A minimum of one thousand phishing emails, each of which contained a bait document, were delivered to the targets.
The company tweeted stating, "Proofpoint blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit #Follina / #CVE_2022_30190."
Proofpoint then added that this campaign pretended to be an offer of a raise in compensation and used an RTF file containing the exploit payload that was downloaded from 45.76.53 [.]253.
The attackers enticed employees with the prospect of salary increases in order to get them to open the lure documents, which contained a PowerShell script that would be utilized as the final payload.
This is used to determine whether the system in question is a virtual machine, to steal information from a number of web browsers, mail clients, and file services, and to collect information about the system itself, which is then sent to a server under the control of the malicious actor.
Windows Vulnerability
This phishing attack has a final PowerShell payload that can harvest a large amount of personal data that can be used for personal access. Below is some of the data that can be compromised, as detailed by Bleeping Computer:
First, in Windows, it can get hold of the list of usernames, computer information, and the Windows domain information.
Second, it can collect passwords from browsers such as Mozilla Firefox, Google Chrome, Opera, Microsoft Edge, and many more.
Lastly, it can collect data from sites such as WeChat, Microsoft Office, Windows Live Mail contacts, Mozilla Thunderbird, Filezilla passwords, and many more.
The attacker can then install applications, read, alter, or remove data, or establish new accounts within the context allowed by the user's rights. All of these actions are dependent on the user's permission.
Proofpoint also disclosed the previous week that a hacking group with ties to China known as TA413 is now abusing the vulnerability in assaults directed at their primary target, which is the international Tibetan community.
In addition, MalwareHunterTeam, a team of researchers specializing in computer security, came across dangerous documents with Chinese filenames that were used to deploy password-stealing trojans.
However, exploited attacks from this Windows zero-day vulnerability have been detected since last month, using sextortion threats and invitations to Sputnik Radio interviews as bait.
Unfortunately, patches for CVE-2022-30190 are still not available. After Microsoft disclosed active exploitation of the flaw in the wild, CISA encouraged Windows admins and users to disable MSDT.