- These Sony headphones deliver premium sound and comfort - without the premium price
- The LG soundbar I prefer for my home theater slaps with immersive audio - and it's not the newest model
- Samsung's new flagship laptop rivals the MacBook Pro, and it's not just because of the display
- Email marketing is back and big social is panicking - everything you need to know
- Revisiting Docker Hub Policies: Prioritizing Developer Experience | Docker
State-Backed Hacker Believed to Be Behind Follina Attacks on EU and US
An unnamed state actor is reportedly behind a phishing campaign targeting European and local US government entities using the Follina Office Vulnerability.
The hacking attempts were spotted by cybersecurity firm Proofpoint, which posted a series of tweets last Friday from its Threat Insight account describing the campaign’s details.
“Proofpoint blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit #Follina,” reads the first tweet.
According to the security experts, the phishing campaign targeted government employees, offering a salary increase and utilizing an RTF file with the exploit payload downloaded from 45.76.53[.]253.
The downloaded Powershell script was reportedly base64 encoded and used Invoke-Expression to download an additional PS script from seller-notification[.]live.
Once downloaded the script would check for virtualization, steal information from local browsers, mail clients and file services, conduct machine recon and then zip it for exfil to be sent to the 45.77.156[.]179 IP address.
While Proofpoint did not directly link the campaign to any specific hacker groups, the company said the characteristics of the attack hint at a nation-state actor. At the same time, the company did not name any specific countries at the time of writing.
“While Proofpoint suspects this campaign to be by a state aligned actor based on both the extensive recon of the Powershell and tight concentration of targeting, we do not currently attribute it to a numbered TA.”
The Follina vulnerability, which exploits Microsoft Windows Support Diagnostic Tool (MSDT) to gain remote access to target systems has not yet been officially patched by the Windows giant. Instead, Microsoft advised users to disable the ms-msdt protocol.
An unofficial patch has been released by security researchers 0patch, which allows MSDT to remain active.
“It would be by far the simplest for us to just disable msdt.exe by patching it with a TerminateProcess() call. However, that would render Windows diagnostic wizardry inoperable,” the company wrote in a blog post.
Instead, 0patch decided to place the patch in sdiagnhost.exe before the RunScript call and check if the user-provided path contains a “$(“sequence, which is necessary for injecting a PowerShell subexpression.
“If one is detected, we make sure the RunScript call is bypassed while the Diagnostic Tool keeps running.”
