While Microsoft is working on a patch for the MSDT vulnerability, tracked as CVE-2022-30190, the attackers are started targeting European and U.S. local governments. The vulnerability, which is now known as Follina, can be exploited with a Rich Text Format document as a part of a phishing campaign. Various online news sources claim that at least two U.S. states are being targeted by these attacks.
Proofpoint blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit #Follina / #CVE_2022_30190.
— Threat Insight (@threatinsight) June 3, 2022
Still unpatched
The vulnerability is still unpatched. Windows advised Windows admins and users to disable the MSDT protocol to prevent any unwanted situation. CISA has also urged customers to disable the service. While the tech giant was working on the patch, unofficial patches were released by other organizations. The exploitation of the vulnerability allows attackers to execute arbitrary code enabling them to do almost anything they want.
Proofpoint stated that they spotted the Chinese TA413 hacking group exploiting the vulnerability to attack the Tibetan community. Another security research team, aSMalwareHunterTeam also stated that they found documents from China, and aim to deploy a passport-stealing trojan.