The Computer Emergency Response Team of Ukraine (CERT-UA) has shared details of a new malicious campaign targeting media organizations in Ukraine that is exploiting the recently disclosed Follina vulnerability (CVE-2022-30190) in order to infect victims’ machines with the CrescentImp malware.
CVE-2022-30190 is a security issue affecting the Microsoft Windows Support Diagnostic Tool (MSDT). It allows a remote attacker to execute arbitrary shell commands on the target system.
The campaign aimed at Ukrainian radio stations, news papers, news agencies, etc., involves malicious emails that contain an attached document with the subject “СПИСОК посилань на інтерактивні карти” (“A list of links to the interactive maps”). The CERT-UA team said it has identified over 500 email addresses targeted in this campaign.
CERT-UA, which tracks this malicious campaign as UAC-0113, attributes the activity with moderate confidence to the Russia-linked Sandworm advanced persistent threat group.
Earlier this month, the team said it detected a malicious campaign that exploited two Windows zero-day vulnerabilities, including CVE-2022-30190, to infect networks belonging to Ukrainian government agencies with the Cobalt Strike Beacon malware.
Cybersecurity Help statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!