CVE-2022-30190

Vulnerability Profile Updated 3 months ago
Download STIX
Preview STIX
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it shortly after its discovery and publication. The exploitation of this vulnerability begins with a spear-phishing email containing a malicious Excel spreadsheet attachment. When opened, the vulnerability is used to download an MSI package from a remote server. Throughout the first half of 2022, TA413 not only exploited this vulnerability but also leveraged a now-patched zero-day vulnerability targeting the Sophos Firewall product (CVE-2022-1040). Additionally, they employed a newly observed custom backdoor known as LOWZERO in campaigns specifically targeting Tibetan entities. In June 2022, the group shifted their strategy and began using an exploit of the Follina vulnerability instead of malicious VBA code. The Follina vulnerability has been widely exploited and carries a high CVSS score of 7.8, indicating its severity. It has been used in various attack vectors, including being weaponized within a Microsoft Office document to drop Woody Rat malware. Alongside the PrintNightmare vulnerability (CVE-2021-34527), Follina's exploitation has been reported extensively, highlighting the significant security risk it poses to Microsoft users.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Follina
9
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Exploit
Microsoft
exploited
RCE (Remote ...
Windows
Mitre
Chromium
Phishing
Malware
Mandiant
Exploits
Backdoor
Remote Code ...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LokibotUnspecified
2
LokiBot is a malicious software, or malware, that was first reported on October 24, 2020. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, LokiBot steals personal information
QakBotUnspecified
1
Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
QbotUnspecified
1
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
LowzeroUnspecified
1
Lowzero is a custom backdoor malware introduced by TA413, a deviation from their usual practice of using well-known or open-source tools. Throughout the first half of 2022, TA413 exploited various vulnerabilities, including a patched zero-day vulnerability in Sophos Firewall product (CVE-2022-1040),
Stealth SoldierUnspecified
1
Stealth Soldier is a previously undisclosed modular backdoor malware identified by Check Point researchers in an ongoing espionage operation against targets in North Africa, as reported on June 8, 2023. The malware exhibits multi-stage infection capabilities and is being used for surveillance and es
Woody RATUnspecified
1
Woody Rat is a malware that has been in the wild for at least a year, as identified by the Malwarebytes Threat Intelligence team. It is weaponized through a Microsoft Office document named Памятка.docx, exploiting the Follina (CVE-2022-30190) vulnerability to infiltrate systems. This malicious softw
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28Unspecified
2
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Ta413Unspecified
1
TA413, also known as LuckyCat, is a threat actor suspected of conducting cyber espionage on behalf of the Chinese state. In the first half of 2022, TA413 targeted Tibetan individuals, organizations, and the exiled Tibetan government. The group exploited a now-patched zero-day vulnerability in the So
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ProxyshellUnspecified
3
ProxyShell is a critical vulnerability affecting Microsoft Exchange email servers. Identified as CVE-2021-34473, it is a flaw in software design or implementation that can be exploited by attackers to gain unauthorized access to systems. The vulnerability was actively exploited by threat actors, cau
Log4ShellUnspecified
3
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent
CVE-2022-24682Unspecified
1
None
CVE-2022-1040Unspecified
1
None
CVE-2021-34527Unspecified
1
CVE-2021-34527, also known as PrintNightmare, is a software vulnerability that involves a flaw in software design or implementation. The exploitation process begins when a user clicks on a link which downloads a ZIP archive containing a malicious JScript (JS) downloader titled 'Stolen Images Evidenc
Printnightmare Cve-2021-34527Unspecified
1
PrintNightmare (CVE-2021-34527) is a significant software vulnerability that was identified and reported in 2021. It is a flaw in the design or implementation of Microsoft's Windows Print Spooler service, which can be exploited for local and Windows Active Domain privilege escalation. This allows at
PrintnightmareUnspecified
1
PrintNightmare (CVE-2021-34527) is a significant vulnerability in the Windows Print Spooler service that allows an attacker to escalate privileges either locally or remotely by loading a malicious DLL which will be executed as SYSTEM. This flaw, potentially a new zero-day Microsoft vulnerability, en
CVE-2020-12641Unspecified
1
CVE-2020-12641 is a significant vulnerability discovered in the Roundcube Webmail application. It is an issue that arises from a flaw in the software's design or implementation, which allows for Command Injection and Cross-Site Scripting (XSS) attacks (CVE-2020-35730). The exploitation of this vulne
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
Source Document References
Information about the CVE-2022-30190 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
3 months ago
NATO and the EU formally condemned APT28 cyber espionage
MITRE
7 months ago
Woody RAT: A new feature-rich malware spotted in the wild
Securityaffairs
8 months ago
Russia's APT8 exploited Outlook 0day to target EU NATO members
Securityaffairs
8 months ago
Russia-linked APT28 group spotted exploiting Outlook flaw to hijack MS Exchange accounts
CERT-EU
9 months ago
Several French critical networks subjected to Russian APT attacks
CERT-EU
9 months ago
How APT28 Infiltrates Networks in French Universities & Nuclear Plants Without Detection
Securityaffairs
9 months ago
ANSSI warns of Russia-linked APT28 attacks on French entities
CERT-EU
10 months ago
The Hidden Dangers of Remote Code Execution (RCE) Exploits in Word Documents
CERT-EU
10 months ago
LokiBot Information Stealer Packs Fresh Infection Strategies
CERT-EU
a year ago
Malspam attacks up, new sectors targeted – report
CERT-EU
a year ago
nao-sec.org
CERT-EU
a year ago
GroundPeony Group Exploiting Zero-day Flaw to Attack Government Agencies
CERT-EU
a year ago
GroundPeony Group Exploiting Zero-day Flaw to Attack Government Agencies | IT Security News
CERT-EU
a year ago
Uncovering the internet's most enduring threat: The Email Threat Landscape
Malwarebytes
a year ago
2022's most routinely exploited vulnerabilities—history repeats
BankInfoSecurity
a year ago
Patching Conundrum: 5-Year Old Flaw Again Tops Most-Hit List
CERT-EU
a year ago
Five Eyes Agencies Call Attention to Most Frequently Exploited Vulnerabilities
CERT-EU
a year ago
FBI, CISA, and NSA reveal top exploited vulnerabilities of 2022
CERT-EU
a year ago
Most exploited cyber vulnerabilities of 2022 revealed
BankInfoSecurity
a year ago
Patching Conundrum: 4-Year Old Flaw Again Tops Most-Hit List