CVE-2022-30190

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it shortly after its discovery and publication. The exploitation of this vulnerability begins with a spear-phishing email containing a malicious Excel spreadsheet attachment. When opened, the vulnerability is used to download an MSI package from a remote server. Throughout the first half of 2022, TA413 not only exploited this vulnerability but also leveraged a now-patched zero-day vulnerability targeting the Sophos Firewall product (CVE-2022-1040). Additionally, they employed a newly observed custom backdoor known as LOWZERO in campaigns specifically targeting Tibetan entities. In June 2022, the group shifted their strategy and began using an exploit of the Follina vulnerability instead of malicious VBA code. The Follina vulnerability has been widely exploited and carries a high CVSS score of 7.8, indicating its severity. It has been used in various attack vectors, including being weaponized within a Microsoft Office document to drop Woody Rat malware. Alongside the PrintNightmare vulnerability (CVE-2021-34527), Follina's exploitation has been reported extensively, highlighting the significant security risk it poses to Microsoft users.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Follina
9
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Exploit
Microsoft
exploited
Backdoor
Mitre
Phishing
Remote Code ...
Malware
Chromium
RCE (Remote ...
Mandiant
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LokibotUnspecified
2
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
Stealth SoldierUnspecified
1
Stealth Soldier is a previously undisclosed modular backdoor malware identified by Check Point researchers in an ongoing espionage operation against targets in North Africa, as reported on June 8, 2023. The malware exhibits multi-stage infection capabilities and is being used for surveillance and es
Woody RATUnspecified
1
Woody Rat is a malware that has been in the wild for at least a year, as identified by the Malwarebytes Threat Intelligence team. It is weaponized through a Microsoft Office document named Памятка.docx, exploiting the Follina (CVE-2022-30190) vulnerability to infiltrate systems. This malicious softw
QakBotUnspecified
1
Qakbot, also known as QBot, is a versatile and malicious software that can perform various harmful actions such as brute-forcing, web injects, and loading other malware. It is used to steal credentials and gather sensitive information. The malware is built by different groups including IcedID, Emote
QbotUnspecified
1
Qbot, also known as Qakbot or Pinkslipbot, is a type of malware that emerged in 2007 as a banking trojan and has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks for ransomware attacks. It is a modular information stealer that can enter systems throug
LowzeroUnspecified
1
Lowzero is a custom backdoor malware introduced by TA413, a deviation from their usual practice of using well-known or open-source tools. Throughout the first half of 2022, TA413 exploited various vulnerabilities, including a patched zero-day vulnerability in Sophos Firewall product (CVE-2022-1040),
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28Unspecified
2
APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor group that has been active since 2007. This Russia-linked entity targets governments, militaries, and security organizations worldwide with malicious intent. In recent years, the group has
Ta413Unspecified
1
TA413, also known as LuckyCat, is a threat actor suspected of conducting cyber espionage on behalf of the Chinese state. In the first half of 2022, TA413 targeted Tibetan individuals, organizations, and the exiled Tibetan government. The group exploited a now-patched zero-day vulnerability in the So
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Log4ShellUnspecified
3
Log4Shell, a critical vulnerability in the logging feature of the Java programming language, also known as Log4j, was publicly disclosed on December 9th. This software flaw affected millions of devices and applications globally, including those in Estonia. The vulnerability, officially designated as
ProxyshellUnspecified
3
ProxyShell is a chain of three vulnerabilities (tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) that affect Microsoft Exchange email servers. These vulnerabilities allow unauthenticated attackers to gain administrator access and execute remote code on unpatched servers. Discovered in
CVE-2022-1040Unspecified
1
None
CVE-2021-34527Unspecified
1
CVE-2021-34527, also known as PrintNightmare, is a software vulnerability that involves a flaw in software design or implementation. The exploitation process begins when a user clicks on a link which downloads a ZIP archive containing a malicious JScript (JS) downloader titled 'Stolen Images Evidenc
Printnightmare Cve-2021-34527Unspecified
1
PrintNightmare (CVE-2021-34527) is a significant software vulnerability that was identified and reported in 2021. It is a flaw in the design or implementation of Microsoft's Windows Print Spooler service, which can be exploited for local and Windows Active Domain privilege escalation. This allows at
PrintnightmareUnspecified
1
PrintNightmare (CVE-2021-34527) is a significant vulnerability in the Windows Print Spooler service that allows an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM. This flaw, potentially a new zero-day Microsoft vulnerability, en
CVE-2020-12641Unspecified
1
CVE-2020-12641 is a significant vulnerability discovered in the Roundcube Webmail application. It is an issue that arises from a flaw in the software's design or implementation, which allows for Command Injection and Cross-Site Scripting (XSS) attacks (CVE-2020-35730). The exploitation of this vulne
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
CVE-2022-24682Unspecified
1
None
Source Document References
Information about the CVE-2022-30190 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Asylum Ambuscade: crimeware or cyberespionage? | WeLiveSecurity
CSO Online
a year ago
55 zero-day flaws exploited last year show the importance of security risk management
InfoSecurity-magazine
a year ago
LokiBot Malware Targets Windows Users in Office Document Attacks
CERT-EU
8 months ago
How APT28 Infiltrates Networks in French Universities & Nuclear Plants Without Detection
CERT-EU
a year ago
Unraveling the Illusion of Trust: The Innovative Attack Methodology Leveraging the "search-ms" URI Protocol Handler
Malwarebytes
10 months ago
2022's most routinely exploited vulnerabilities—history repeats
Securityaffairs
a year ago
2022 Zero-Day exploitation continues at a worrisome pace
CERT-EU
10 months ago
Five Eyes Agencies Call Attention to Most Frequently Exploited Vulnerabilities
InfoSecurity-magazine
a year ago
CVEs Surge By 25% in 2022 to Another Record High
BankInfoSecurity
a year ago
Ukrainian Agencies, NATO Targeted With RATs Ahead of Summit
Recorded Future
a year ago
Top 5 Attack Surface Risks of 2022 | Recorded Future
BankInfoSecurity
10 months ago
Patching Conundrum: 5-Year Old Flaw Again Tops Most-Hit List
CERT-EU
10 months ago
nao-sec.org
CERT-EU
10 months ago
Uncovering the internet's most enduring threat: The Email Threat Landscape
CERT-EU
a year ago
Microsoft warns Office admins to block exploitation of zero-day hole | IT World Canada News
CERT-EU
a year ago
New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs
DARKReading
a year ago
RomCom Spies Target NATO Summit Ahead of Zelensky’s Arrival
BankInfoSecurity
10 months ago
Patching Conundrum: 4-Year Old Flaw Again Tops Most-Hit List
Recorded Future
a year ago
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future
DARKReading
a year ago
Tel Aviv Stock Exchange Selects CardinalOps to Reduce Risk of Breaches Due to Undetected Attacks