- Ecco come l’AI aggiunge complessità alla cybersicurezza e alle frodi
- The threat of phishing attacks and law enforcement’s role (Part 1)
- 지멘스-액센추어, 제조업 혁신 위한 공동 그룹 출범··· "전문가 7,000명 고용"
- Potential Nvidia chip shortage looms as Chinese customers rush to beat US sales ban
- These tech markets are taking the brunt of the new US tariffs - what that means for you
State-Backed Hacker Believed to Be Behind Follina Attacks on EU and US
An unnamed state actor is reportedly behind a phishing campaign targeting European and local US government entities using the Follina Office Vulnerability.
The hacking attempts were spotted by cybersecurity firm Proofpoint, which posted a series of tweets last Friday from its Threat Insight account describing the campaign’s details.
“Proofpoint blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit #Follina,” reads the first tweet.
According to the security experts, the phishing campaign targeted government employees, offering a salary increase and utilizing an RTF file with the exploit payload downloaded from 45.76.53[.]253.
The downloaded Powershell script was reportedly base64 encoded and used Invoke-Expression to download an additional PS script from seller-notification[.]live.
Once downloaded the script would check for virtualization, steal information from local browsers, mail clients and file services, conduct machine recon and then zip it for exfil to be sent to the 45.77.156[.]179 IP address.
While Proofpoint did not directly link the campaign to any specific hacker groups, the company said the characteristics of the attack hint at a nation-state actor. At the same time, the company did not name any specific countries at the time of writing.
“While Proofpoint suspects this campaign to be by a state aligned actor based on both the extensive recon of the Powershell and tight concentration of targeting, we do not currently attribute it to a numbered TA.”
The Follina vulnerability, which exploits Microsoft Windows Support Diagnostic Tool (MSDT) to gain remote access to target systems has not yet been officially patched by the Windows giant. Instead, Microsoft advised users to disable the ms-msdt protocol.
An unofficial patch has been released by security researchers 0patch, which allows MSDT to remain active.
“It would be by far the simplest for us to just disable msdt.exe by patching it with a TerminateProcess() call. However, that would render Windows diagnostic wizardry inoperable,” the company wrote in a blog post.
Instead, 0patch decided to place the patch in sdiagnhost.exe before the RunScript call and check if the user-provided path contains a “$(“sequence, which is necessary for injecting a PowerShell subexpression.
“If one is detected, we make sure the RunScript call is bypassed while the Diagnostic Tool keeps running.”
