Follina

Vulnerability updated a month ago (2024-10-15T10:02:49.765Z)
Download STIX
Preview STIX
Follina (CVE-2022-30190) is a software vulnerability that was discovered and exploited in the first half of 2022. It was weaponized by TA413, a malicious entity known for its cyber attacks, shortly after its discovery and publication. The vulnerability was used to target the Sophos Firewall product, Microsoft Windows Support Diagnostic Tool (MSDT), and other software. In addition to Follina, TA413 also exploited another zero-day vulnerability (CVE-2022-1040) and employed a custom backdoor tracked as LOWZERO in campaigns specifically targeting Tibetan entities. The Follina exploit was utilized in various ways, including through .docx files and an EXE file made by PyInstaller that was executed post-exploitation. One notable instance involved a phishing campaign where emails were sent in two waves, the first containing a Microsoft Word .docx attachment hosted on Google Firebase that attempted to use the Follina vulnerability, and the second linked to a .RAR archive file containing both the malicious Microsoft Word attachment and a decoy .png image file. Investigations confirmed that not only TA413 but also APT28 and a China-nexus attack group had exploited Follina. These groups also exploited other vulnerabilities such as those affecting Roundcube application and Outlook. The exploitation of Follina led to the execution of a Base64-encoded PowerShell command to download a follow-on payload from a specific URL. The fact that multiple groups have been exploiting Follina suggests that they may have access to a zero-day or are capable of developing one.
Description last updated: 2024-10-15T09:19:03.646Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
CVE-2022-30190 is a possible alias for Follina. CVE-2022-30190, also known as the "Follina" vulnerability, is a high-risk software flaw in the Microsoft Support Diagnostic Tool that allows for remote code execution. This 0-day vulnerability was disclosed in May 2022 and has since been exploited by threat actors, including TA413, who weaponized it
9
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Vulnerability
Windows
Exploits
Confluence
Malware
Zero Day
Payload
Apt
Microsoft
Remote Code ...
RCE (Remote ...
Fortios
roundcube
Chrome
Phishing
Log4j
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Xworm Malware is associated with Follina. XWorm is a sophisticated piece of malware designed to infiltrate and exploit computer systems, often without the user's knowledge. It can be delivered through various means such as suspicious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operatiUnspecified
2
The QakBot Malware is associated with Follina. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by dUnspecified
2
The Qbot Malware is associated with Follina. Qbot, also known as Qakbot or Pinkslipbot, is a modular information stealer malware that first emerged in 2007 as a banking trojan. Its evolution has seen it become an advanced strain of malware used by multiple cybercriminal groups to prepare compromised networks for ransomware infestations. The fiUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT28 Threat Actor is associated with Follina. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC) Targets
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Log4Shell Vulnerability is associated with Follina. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorizedUnspecified
3
The vulnerability CVE-2022-1040 is associated with Follina. Unspecified
3
The Proxyshell Vulnerability is associated with Follina. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT acUnspecified
3
The CVE-2022-41328 Vulnerability is associated with Follina. CVE-2022-41328 is a significant software vulnerability discovered in Fortinet's FortiOS. It was heavily targeted by China-nexus intrusion sets, particularly UNC3886, who exploited the vulnerability to deploy custom malware families on Fortinet and VMware systems. This exploitation occurred in SeptemUnspecified
2
The vulnerability CVE-2021-40444 is associated with Follina. Unspecified
2
The CVE-2022-26134 Vulnerability is associated with Follina. CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized thUnspecified
2
The CVE-2021-26084 Vulnerability is associated with Follina. CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection attaUnspecified
2
The CVE-2021-34473 Vulnerability is associated with Follina. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to Unspecified
2
The CVE-2022-42475 Vulnerability is associated with Follina. The critical zero-day vulnerability, CVE-2022-42475, was discovered in FortiGate firewalls during an incident investigation by the vendor. This flaw in software design or implementation allows an unauthenticated attacker to execute arbitrary code on affected systems. The vulnerability is present in Unspecified
2
The Proxynotshell Vulnerability is associated with Follina. ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint tUnspecified
2
The CVE-2020-12641 Vulnerability is associated with Follina. CVE-2020-12641 is a significant vulnerability discovered in the Roundcube Webmail application. It is an issue that arises from a flaw in the software's design or implementation, which allows for Command Injection and Cross-Site Scripting (XSS) attacks (CVE-2020-35730). The exploitation of this vulneUnspecified
2
Source Document References
Information about the Follina Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
7 months ago
CERT-EU
a year ago
CERT-EU
a year ago
Recorded Future
2 years ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago
Recorded Future
2 years ago
DARKReading
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Fortinet
2 years ago
CSO Online
2 years ago
Malwarebytes
a year ago
CERT-EU
a year ago
Securityaffairs
a year ago
Securityaffairs
a year ago
CERT-EU
a year ago
Canadian Centre for Cyber Security
2 years ago
Fortinet
a year ago