Follina is turning out to be quite a threat for system admins everywhere, as new reports are coming in of the vulnerability being used to distribute infostealers, trojans, and ransomware.
Cybersecurity researchers from Proofpoint found threat actors known as TA570 using the Follina flaw to infect endpoints (opens in new tab) with Qbot, while NCC Group found it being further abused by Black Basta, a known ransomware group.
Qbot, known also as Qakbot, Quakbot, or Pinkslipbot, is a banking trojan, and infostealer, that’s been in use for more than ten years now. Threat actors who want to distribute the infostealer use phishing and vulnerability exploiting. They trick people into visiting malicious sites that, through various vulnerabilities end up downloading the trojan onto their devices.
Black Basta emerges
Qbot is capable of dealing plenty of damage, logging keys, exfiltrating cookies, hooking processes, but also acting as a dropper for stage-two viruses, malware (opens in new tab), or ransomware. Black Basta is playing exactly this hand.
A relatively new entrant into the ransomware space, Black Basta was observed by NCC Group, using Qbot to move laterally through compromised networks, and deploying its ransomware (opens in new tab).
The group first appeared in April this year, going straight for the American Dental Association, the publication reminds. To force victims to pay the ransom, it uses double-extortion techniques (stealing and encrypting sensitive information).
Follina, also tracked as CVE-2022-30190, is a flaw found in the Windows Support Diagnostic Tool. You can use it to remotely execute code by getting Office Word to open a specially-crafted document and then bring up the tool.
Microsoft acknowledged the existence of the flaw and promised it was working on a fix. Threat actors continue to exploit the flaw until that happens. Among the confirmed attacks are one against the international Tibetan community, conducted by a known Chinese state-sponsored threat actor called TA413.