Technology

Symantec Malware Operators Increasingly Exploit Follina

While we wait for Microsoft to release a fix for the critical “Follina” vulnerability in Windows, more malware operators are moving to exploit it.

Microsoft acknowledged the remote code execution (RCE) vulnerability (traceable as CVE-2022-30190) late last month, but has yet to provide a patch. The company has described a workaround that can be used until a patch is available.

Meanwhile, there have been a number of reports of attacks exploiting the vulnerability, with analysts on Proofpoint’s Threat Insight team tweeting earlier this month about a state-sponsored phishing campaign targeting institutions in the United States and the European Union. According to Proofpoint researchers, the malicious spam messages were sent to fewer than 10 users of Proofpoint products.

This week, Proofpoint researchers detected another phishing campaign run by a group associated with the Qbot data theft and backdoor botnet that uses Follina to infect systems with malware.

Currently, Symantec threat hunters say they are also detecting other groups that are using this flaw to deliver malware payloads. In one instance, the attackers have deployed AsyncRAT, a remote access Trojan (RAT) that includes a valid digital signature. In another, attackers have deployed information-stealing malware as a payload on the compromised system.

Since the details of this vulnerability were published online, attackers were quick to take advantage of the flaw and begin installing payloads,” the researchers wrote in their blog. Symantec has confirmed that attackers are using HTML files similar to those used in the initial attack. Multiple attackers have used various payloads after successful exploits.”

Follina is an RCE vulnerability in the Microsoft Support Diagnostic Tool (MSDT) that allows attackers to subvert the ms-msdt protocol handler process. According to Symantec, an attacker can use a specially crafted Word document that loads a malicious HTML file through the application’s remote template feature.

If exploited, an attacker could execute arbitrary code, install programs, view, modify, or delete data, or create new accounts. It is also possible to load and execute PowerShell code on Windows and even exploit the vulnerability via the Rich Text Format (RTF) file format, the researchers write.

One of the problems is that the attacker does not need to use macros to trick the victim into enabling them for the attack to work. The vulnerability exists in all supported versions of Windows.

Windows Follina Zero-Day Exploit to Infect PCs with Qbot

A zero-day vulnerability exists in Microsoft Office. Follina” works even when macros are disabled

Conti Spotted Working on Exploit Against Intel Management Engine Flaw

Microsoft Seizes 41 Domains Linked to “Iranian Phishing Ring”

According to Symantec researchers, when AsyncRAT runs, it checks for analysis functions on the system and works to stop them. It then collects information about the compromised system, including hardware identification, user names, executed paths, and OS information. It then sends this information to a command and control (C2) server, which executes commands from the C2 server on the compromised machine.

Information thieves deployed by some threat groups steal information such as cookies and stored login data from web browsers such as Microsoft Edge, Chrome, and Firefox.

Cybersecurity vendor Kaspersky Threathunters, which also tracks attacks using the Follina flaw, noted in a blog post this week that U.S. organizations are particularly targeted. Other countries under attack include Russia, Brazil, India, and parts of Western Europe.

It also writes, “We expect to see more attempts to exploit Follina to gain access to corporate resources, including ransomware attacks and data breaches.”

Conclusion

As a result, data breaches affect even security suppliers, much alone ordinary businesses and individuals. The planning of data backups is merely the first step. The next sections will describe what went wrong and how to use blockchain technology to effectively retrieve your data. With today’s rapidly rising data security issues, virtual machine backup solutions has never been more important. Businesses are in risk and unable to stay viable without the security of a data backup plan. Protecting your company’s digital integrity necessitates extensive planning and preparation, starting with the essentials; you only need to create a plan every two or three years, as it is preferable to have insufficient data backup strategies.

So, our businesses and individuals must take proactive measures to protect data. Data may be backed up for disaster recovery to avoid all threats. Backup virtual machine is now widely available and simple to use. Consider the popular virtual machine backup as an example. Many operating systems can be run simultaneously on virtual machines, conserving both real and virtual resources. Virtual machine backup systems such as VMware Backup, Xenserver Backup, Hyper-V Backup, and others are now commonly used.

Related Articles

Leave a Reply

Back to top button