Chinese hackers exploit Microsoft zero-day as list of vulnerable Office products grows

Microsoft Office 365 image, with a magnifying glass over Microsoft Word
(Image credit: Shutterstock)

The Microsoft Office zero-day vulnerability reported widely this week is already being used in active attacks by Chinese state-sponsored hackers, a cyber security company has said.

The advanced persistent threat (APT) group tracked as TA413 has been spotted impersonating the Women’s Empowerment Desk of the Central Tibetan Administration - a genuine division dedicated to issues such as gender equality and combating violence against women.

Proofpoint researchers said the malicious documents are delivered via zip archives through URLs that aim to imitate the genuine Tibetan government, but didn’t comment on the type of payload that’s delivered.

The vulnerability that exploits the ms-msdt Microsoft Office Uniform Resource Identifier (URI) scheme is now tracked with CVE-2022-30190 and has been shown to work on all versions of Microsoft Office and Windows Server, including Office 365 which was previously thought to not be vulnerable.

Successful exploitation of the diagnostic and troubleshooting tool can lead to the execution of malicious code on Windows systems.

If the malicious document is saved using the Rich Text Format (RTF), code can also be executed by looking up the document in the Windows Explorer preview tab, without even opening it up.

Under the radar

Since CVE-2022-30190 became widely reported this week, it has since emerged that Microsoft was made aware of the vulnerability as far back as 12 April 2022.

A researcher by the alias of crazyman, who is part of a bug-hunting collective called Shadow Chaser Group, was credited with the discovery once Microsoft assigned the vulnerability a CVE code.

Crazyman posted proof of their submission to Microsoft online and found an example of in-the-wild exploitation seemingly from a Russian-speaking threat actor more than a month ago.

A member of Microsoft Security Response Centre (MSRC) responded to the submission after looking at it “critically” and decided that it was “not a security-related issue”.

The team acknowledged that the MSDT scheme was executed as part of the malicious document but since it required a passcode when it started - a passcode that did not work for the MSRC analyst during testing - the case was ultimately closed.

Independent security researcher and former Microsoft-employed security professional Kevin Beaumont, whose report of the zero-day vulnerability sparked wider interest in it this week, said MSRC’s response sounded like they wanted to re-triage the report, rather than dismiss it entirely.

On the same day, a threat intelligence researcher at MalwareBytes also discovered the Russian-language maldoc sample but the cyber security company said the remote template was already down at the time which meant that identification was not possible.

Microsoft’s guidance

Along with assigning the zero-day CVE tracking identifier, Microsoft has released a support document for Windows and Microsoft Office users, advising of the temporary workarounds they can deploy to mitigate the threat.

The recommended workaround is to disable the MSDT URI to prevent troubleshooters from being launched as links, including links throughout the operating system.

Troubleshooters can still be accessed by using the Get Help application, Microsoft said, and through system settings.

To disable MDST, Microsoft instructed users to do the following:

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename
  • Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

To undo the workaround - potentially useful information when a full patch is released, users should do the following:

  • Run Command Prompt as Administrator.
  • To restore the registry key, execute the command “reg import filename

It was previously reported that Microsoft Defender for Endpoint did not detect exploitation of CVE-2022-30190 but Microsoft said it now provides alerts in Microsoft 365 Defender portal under the following titles:

  • Suspicious behaviour by an Office application
  • Suspicious behaviour by Msdt.exe

Microsoft Defender Antivirus also now provides detections for possible exploitation using the following signatures using detection build 1.367.719.0 or newer:

  • Trojan:Win32/Mesdetty.A (blocks msdt command line)
  • Trojan:Win32/Mesdetty.B (blocks msdt command line)
  • Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line)
Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.