Rewterz Threat Update– Russian Threat Actors Start Targeting Ukraine By Exploiting Follina Vulnerability – Russian-Ukrainian Cyber Warfare

Severity

High

Analysis Summary

The Ukrainian Team has issued a warning that Sandworm, a Russian threat actor group, may be exploiting Follina, a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) also traced as CVE-2022-30190.

The nation-state actors used Follina to conduct a new malicious email campaign that targeted over 500 recipients at various media organization in Ukraine, including radio stations and newspapers.
The topic of the emails is “LIST of links to interactive maps,” and the attachment is a.DOCX file with the same name. When the file is opened, JavaScript code is executed to get a payload named “2.txt,” which is detected as malicious CrescentImp.

Impact

• Code Execution
• Privilege Escalation

Remediation

• Maintain cyber hygiene by updating your anti-virus software and implement patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Customers using Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission.
• Customers that use Microsoft Defender for Endpoint can set the “BlockOfficeCreateProcessRule” attack surface reduction rule, which prevents Office apps from generating child processes.
• For the workaround guidance shared by Microsoft, click here.