Windows zero-day exploited in phishing campaigns against European and US local governments.
European governments and US local governments were targeted in a phishing campaign using malicious Rich Text Format (RTF) documents by exploiting a critical Windows zero-day vulnerability known as Follina.
Local governments in at least two US states were targeted by this phishing campaign.
Security researchers at enterprise security firm Proofpoint revealed that they have blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit Follina tracked as CVE_2022_30190.
The threat actors used salary increase promises to lure employees to open the malicious documents, which would deploy a Powershell script as the final payload.
This checks whether the system is a virtual machine, steal information from multiple web browsers, mail clients, and file services, and collect system information that gets exfiltrated to an attacker-controlled server.
The attackers are collecting huge amounts of info revealing this campaign’s reconnaissance attack nature. The collected data can be used for initial access:
Browser passwords: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Yandex, Vivaldi, CentBrowser, Comodo, CheDot, Orbitum, Chromium, Slimjet, Xvast, Kinza, Iridium, CocCoc, and AVAST Browser.
Data from other apps: Mozilla Thunderbird, Netsarang session files, Windows Live Mail contacts, Filezilla passwords, ToDesk configuration file, WeChat, Oray SunLogin RemoteClient, MailMaster, ServU, Putty, FTP123, WinSCP, RAdmin, Microsoft Office, Navicat
Windows information: Computer information, list of usernames, Windows domain information
The security flaw was described by Redmond as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution bug.
The flaw is still unpatched and it affects all Windows versions still receiving security updates (i.e., Windows 7+ and Server 2008+).
This zero-day when successfully exploited can be used to execute arbitrary code with the privileges of the calling app to install programs, view, change, delete data, or create new Windows accounts.
The researchers spotted that the China-linked TA413 hacking group is exploiting the vulnerability in attacks against their favorite target, the international Tibetan community.
However, the first attacks targeting this zero-day were spotted more than a month ago, using sextortion threats and invitations to Sputnik Radio interviews as baits.
Microsoft is yet to release CVE-2022-30190 patches, meanwhile CISA has urged Windows admins and users to disable the MSDT protocol abused in these attacks after Microsoft reported active exploitation of the bug in the wild.
Until Microsoft releases official security updates, the users can patch their systems against these ongoing attacks using unofficial patches released by the 0patch micropatching service.
