Chinese actors have been observed utilizing CVE-2022-30190, now also known as Follina, to execute malicious code via the MSDT protocol when targets open or preview Word documents delivered in ZIP archives. The TA413 APT group, a hacking outfit linked to Chinese state interests and known for targeting Tibetan targets in the past, has adopted this vulnerability in attacks against the international Tibetan community, according to new research from Proofpoint. Since initial disclosure, Chinese-linked threat actors are now actively utilizing CVE-2022-30190 to execute malicious code remotely on targeted Windows systems. To back up the registry key, execute the command “reg import filename“.Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Mitigation Measuresĭisabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. The attacker, after execution of the payload, can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. The malicious document, or maldoc, leverages Word’s remote template feature to fetch an HTML file from a server, which then makes use of the “ms-msdt://” URI scheme to run the malicious payload. The MSDT vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document that was uploaded to VirusTotal from an IP address in Belarus on the 25th of May 2022. MSDT is short for Microsoft Support Diagnostics Tool, a utility that is used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve various technical problems. RH-ISAC members are encouraged to review the mitigation measures below for security posture and awareness. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The remote code execution vulnerability exists when Microsoft Support Diagnostic Tool (MSDT) is called using the URL protocol from a calling application such as Word. Microsoft‘s entry for CVE-2022-30190 indicates it affects MSDT on all versions of Windows and Windows Server and has detected exploitation in the wild. Microsoft has shared mitigation measures, which are included below, to block attacks exploiting the flaw, designated CVE-2022-30190, while a patch is being developed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |