7 June 2022

Windows bug Follina exploited in attacks on European and US governments


Windows bug Follina exploited in attacks on European and US governments

Proofpoint has blocked a phishing campaign aimed at its customers, which are European and US governments. Cybercriminals attempted to exploit the infamous Follina vulnerability (CVE-2022-30190) in Windows using malicious RTF documents.

The Follina vulnerability resides in Microsoft Windows Support Diagnostic Tool (MSDT). It is a remote code execution bug, which affects all supported Windows versions. Successful exploitation of this bug could allow to execute arbitrary code with the privileges of the calling app to install programs, view, change, delete data, or create new Windows accounts. As of now, the vulnerability has yet to be patched

In the new campaign discovered by Proofpoint, the hackers used a phishing scam to convince victims to open the malicious documents. According to the researchers, the threat actors sent  phishing messages to the government organizations employees with malicious documents promising a salary increase. Eventually, these documents deployed a PowerShell script as the final payload.

This script would check if the targeted system is a virtual machine, steal information from web browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Yandex, Vivaldi, CentBrowser, etc.), mail clients, and file services, and steal system information (computer information, list of usernames, Windows domain information).

Proofpoint believes that this malicious operation was conducted by a nation state but doesn’t attribute it to a specific threat actor. The researches have made this conclusion based on both the extensive recon of the PowerShell and tight concentration of targeting.

Last week, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new malicious campaign that exploits two Windows zero-day vulnerabilities, including CVE-2022-30190. The hackers used it to infect networks belonging to Ukrainian government agencies with the Cobalt Strike Beacon malware.

Back to the list

Latest Posts

Exploit code published online for a critical VMware vulnerability

Exploit code published online for a critical VMware vulnerability

A proof-of-concept code for the vulnerability along with technical analysis has been published by a security researcher.
10 August 2022
Cloudflare employees also targeted by SMS phishing attack

Cloudflare employees also targeted by SMS phishing attack

The company says that the attack occurred around the same time as Twilio was attacked and was similar in nature.
10 August 2022
Microsoft fixes yet another MSTD zero-day exploited in the wild

Microsoft fixes yet another MSTD zero-day exploited in the wild

Microsoft had been aware of the DogWalk vulnerability for nearly two years, but deemed it not a security issue.
10 August 2022