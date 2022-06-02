A newly discovered vulnerability in Microsoft Office has sparked alerts around this popular collection of applications.

This security breach, massively reported in recent days, has been exploited by hackers linked to the Chinese government, according to threat analysis research from security firm Proofpoint.

Computer attacks from China to Tibet through Office

The details shared by Proofpoint in its report, suggest that a hacker group named TA413 was using the aforementioned vulnerability, dubbed “Follina” by researchers, in malicious Word documents allegedly sent from the Central Tibetan Administration, the Tibetan government-in-exile. based in Dharamsala, India. The TA413 group is an APT, or “Advanced Persistent Threat” actor, believed to be linked to the Chinese government and has previously been observed targeting the Tibetan exile community.

Due to the widespread use of Microsoft Office and its related products, the potential attack surface for the vulnerability is large. Current analysis suggests that Follina affects Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365.

The Microsoft Word vulnerability became known following massive reports on May 27, when a security research group known as Nao Sec took to Twitter to discuss a sample submitted to online malware scanning service VirusTotal. The tweet de Nao Sec notes that the malicious code was distributed via Microsoft Word documents, which were ultimately used to execute commands via PowerShell, a powerful system administration tool for Windows.

Days later, researcher Kevin Beaumont shared more details of vulnerability. According to their analysis, the vulnerability allowed a maliciously crafted Word document to load HTML files from a remote web server and then execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool (MSDT), a program that usually collects information about crashes and other problems with Microsoft applications.

Microsoft acknowledged the vulnerability, officially titled CVE-2022-30190. For now, it has not issued an official patch, but it has offered mitigation measures for the vulnerability, which involve manually disabling the URL loading feature of the MSDT tool.