Some European governments have been the target of a phishing campaign that uses malicious rich text documents (RTF from Rich Text Format). These documents were designed to exploit a critical (zero-day) Windows vulnerability known as Follina.
"Proofpoint blocked a suspicious phishing campaign that was trying to take advantage of Follina /CVE_2022_30190", Revealed security researchers of the company Proofpoint.
The attackers used promises of salary increases to get employees to open documents containing a malicious Powershell script.
With the PowerShell script of this attack, attackers are able to gather large amounts of information:
Browser passwords: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Yandex, Vivaldi, CentBrowser, Comodo, CheDot, Orbitum, Chromium, Slimjet, Xvast, Kinza, Iridium, CocCoc και AVAST Browser.
Data from others applications: Mozilla Thunderbird, Netsarang session files, Windows Live Mail contacts, Filezilla passwords, ToDesk configuration file, WeChat, Oray SunLogin RemoteClient, MailMaster, ServU, Putty, FTP123, WinSCP, RAdmin, Microsoft Office, Navicat
Information from Windows: Computer information, username list, Windows domain information
Proofpoint suspects that this campaign is being run by a government.
Το κενό ασφαλείας που χρησιμοποιείται σε αυτές τις επιθέσεις παρακολουθείται σαν CVE-2022-30190 και το Redmond το αναφέρει σαν σφάλμα απομακρυσμένης εκτέλεσης κώδικα στο διαγνωστικό εργαλείο υποστήριξης των Microsoft Windows (MSDT από το Microsoft Windows Support Diagnostic Tool).
CVE-2022-30190 is still unpatched and affects all versions of Windows that still receive security updates (ie Windows 7+ and Server 2008🇧🇷
While Microsoft has not yet released updates that fix CVE-2022-30190 vulnerabilities, CISA urges administrators and Windows users disable the MSDT protocol used in these attacks, since exploit is already on the internet.
Until Microsoft releases official security updates, you can repair your systems using unofficial updates released by micropatching 0patch (registration required and not recommended).
