Ukraine’s Computer Emergency Response Team (CERT) warns that the Russia-linked Sandworm APT group may exploit the Follina RCE vulnerability.

Ukraine’s Computer Emergency Response Team (CERT) is warning that the Russia-linked Sandworm APT may be exploiting the recently discovered Follina RCE. The issue, tracked as CVE-2022-30190, impacts the Microsoft Windows Support Diagnostic Tool (MSDT).

Nation-state actors are targeting media organizations in Ukraine, including radio stations, and newspapers. The malspam messages use the topic “LIST of links to interactive maps,” according to the CERT-UA, more malicious emails reached more than 500 recipients.

The malspam messages used the weaponized document “LIST_of_links_in_interactive_maps.docx.” Upon opening the document it will load the HTML-file and execute JavaScript code, which, in turn, will download and execute the EXE-file “2.txt”, which is detected as malicious CrescentImp.

“Attackers continue to exploit vulnerability CVE-2022-30190 and are increasingly resorting to emails from compromised government emails.” reads the alert published by the Ukraine CERT.

 

CERT-UA sandworm

The government experts tracked the activity as UAC-0113, which is a threat actor that with a medium level of confidence is associated with the Sandworm APT group.

Targeting media orgs

CERT-UA also shared indicators of compromise for these attacks.

 

[출처 : SecurityAffairs / 6.13.]