Follina

Vulnerability updated 4 months ago (2024-05-04T20:55:52.336Z)
Download STIX
Preview STIX
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The group utilized Follina shortly after its discovery and publication, demonstrating their ability to rapidly exploit newly disclosed vulnerabilities. In addition to Follina, TA413 also targeted the Sophos Firewall product using a now-patched zero-day vulnerability (CVE-2022-1040) and employed a custom backdoor tracked as LOWZERO in campaigns primarily aimed at Tibetan entities. The exploitation of Follina involved the use of malicious .docx files and executables. Phishing emails were sent in two waves; the first wave linked to a Microsoft Word .docx attachment hosted on Google Firebase service that attempted to exploit Follina, while the second wave linked to a .RAR archive file containing both the malicious Microsoft Word attachment and a decoy .png image file. Once triggered, the Follina exploit would execute a Base64-encoded PowerShell command to download a follow-on payload from an external server. Additionally, an EXE file made by PyInstaller was found to be executed post-exploitation of Follina. Investigations into these attacks led to the identification of a China-nexus attack group as the perpetrators. This group demonstrated not only the capability to exploit Follina but also the potential to access or develop other zero-day vulnerabilities. To carry out reconnaissance and data collection, the attackers also exploited other vulnerabilities, including CVE-2020-12641 in Roundcube webmail. As such, understanding and mitigating the risk associated with the Follina vulnerability, as well as other potential threats, remains a critical task for cybersecurity professionals.
Description last updated: 2024-05-04T16:28:46.826Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CVE-2022-30190
9
CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Vulnerability
Windows
Exploits
Confluence
Malware
Zero Day
Payload
Apt
Microsoft
Remote Code ...
RCE (Remote ...
Fortios
roundcube
Chrome
Phishing
Log4j
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
XwormUnspecified
2
XWorm is a multifaceted malware that has been observed to exploit vulnerabilities in ScreenConnect, a remote access software. This malware provides threat actors with remote access capabilities and the potential to spread across networks, exfiltrate sensitive data, and download additional payloads.
QakBotUnspecified
2
Qakbot is a type of malware that has been linked to various cybercriminal activities, with its presence first observed as early as 2020. It gained notoriety for its role in the operations of the Black Basta ransomware group, which used Qakbot extensively in sophisticated phishing campaigns. The malw
QbotUnspecified
2
Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
APT28Targets
2
APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor linked to Russia that has been active since at least 2007. The group has targeted governments, militaries, and security organizations worldwide, including the German Social Democratic Party
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
Log4ShellUnspecified
3
Log4Shell is a significant software vulnerability that exists within the Log4j Java-based logging utility. The vulnerability, officially designated as CVE-2021-44228, allows potential attackers to execute arbitrary code on targeted systems. Advanced Persistent Threat (APT) actors, including LockBit
CVE-2022-1040Unspecified
3
None
ProxyshellUnspecified
3
ProxyShell is a series of vulnerabilities affecting Microsoft Exchange email servers. These flaws in software design or implementation have been exploited by threat actors to gain unauthorized access and control over targeted systems. The ProxyShell vulnerability, officially tracked as CVE-2021-3447
CVE-2022-41328Unspecified
2
CVE-2022-41328 is a significant software vulnerability discovered in Fortinet's FortiOS. It was heavily targeted by China-nexus intrusion sets, particularly UNC3886, who exploited the vulnerability to deploy custom malware families on Fortinet and VMware systems. This exploitation occurred in Septem
CVE-2021-40444Unspecified
2
None
CVE-2022-26134Unspecified
2
CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th
CVE-2021-26084Unspecified
2
CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta
CVE-2021-34473Unspecified
2
CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to
CVE-2022-42475Unspecified
2
The critical zero-day vulnerability, CVE-2022-42475, was discovered in FortiGate firewalls during an incident investigation by the vendor. This flaw in software design or implementation allows an unauthenticated attacker to execute arbitrary code on affected systems. The vulnerability is present in
ProxynotshellUnspecified
2
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
CVE-2020-12641Unspecified
2
CVE-2020-12641 is a significant vulnerability discovered in the Roundcube Webmail application. It is an issue that arises from a flaw in the software's design or implementation, which allows for Command Injection and Cross-Site Scripting (XSS) attacks (CVE-2020-35730). The exploitation of this vulne
Source Document References
Information about the Follina Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
4 months ago
NATO and the EU formally condemned APT28 cyber espionage
CERT-EU
a year ago
Microsoft Teams phishing scam dupes workers on vacation time | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
a year ago
GroundPeony Group Exploiting Zero-day Flaw to Attack Government Agencies
Recorded Future
2 years ago
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future
CERT-EU
10 months ago
How APT28 Infiltrates Networks in French Universities & Nuclear Plants Without Detection
CERT-EU
2 years ago
Boost Your Threat Hunting with 12 Weeks of Security Spotlights
CERT-EU
a year ago
Six patch management mistakes and how to avoid them
Recorded Future
2 years ago
Top 5 Attack Surface Risks of 2022 | Recorded Future
DARKReading
a year ago
10 Vulnerabilities Types to Focus On This Year
CERT-EU
a year ago
Defending the Loan Application Process: Uncovering and Eliminating Hidden Threats in Files
CERT-EU
a year ago
CrowdStrike Report Highlights Crucial Shift In Ransomware Tactics | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware
Fortinet
a year ago
Are Internet Macros Dead or Alive? | FortiGuard labs
CSO Online
a year ago
55 zero-day flaws exploited last year show the importance of security risk management
Malwarebytes
a year ago
2022's most routinely exploited vulnerabilities—history repeats
CERT-EU
a year ago
RomCom RAT Targets Pro-Ukraine Guests at Upcoming NATO Summit
Securityaffairs
10 months ago
ANSSI warns of Russia-linked APT28 attacks on French entities
Securityaffairs
a year ago
RomCom RAT attackers target groups supporting NATO membership of Ukraine
CERT-EU
a year ago
Malspam attacks up, new sectors targeted – report
Canadian Centre for Cyber Security
2 years ago
Ongoing reports of Qakbot malware incidents – Update 1 - Canadian Centre for Cyber Security
Fortinet
a year ago
Ransomware Roundup - Black Basta | FortiGuard Labs