Zero-day vulnerability: First cybergangs attack MSDT vulnerability

Zero-day vulnerability: First cybergangs attack MSDT vulnerability
Written by insideindyhomes

The zero-day vulnerability discovered on Monday of this week in Microsoft’s support tool MSDT has apparently made it into the cybergangs’ toolboxes. The IT security company Proofpoint reports on a Chinese cybergang that is attacking members of the international Tibetan community in particular with maliciously manipulated documents – and using the zero-day vulnerability to do so.

The Chinese cybergang, dubbed TA413, has been reported to have focused on targeting members of the Tibetan community in the past. But European diplomats, legislative bodies, non-profit organizations and global economic organizations have also been reportedly targeted by TA413.

In the attacks now observed, the criminals sent links to ZIP archives, which in turn contained Word documents with the exploit of the vulnerability. The campaign mimics the Central Tibetan government’s Women Empowerments Desk.

The US cyber security authority CISA also warns of the zero-day vulnerability and advises IT managers to use the known workaround. The warning comes with the note that Microsoft is now reporting active abuse of the vulnerability in the wild.

There are also increasing indications that the vulnerability was noticed a long time ago. The IT security researcher CrazymanArmy posted screenshots of the course of an error message to Microsoft on Twitter, showing that he had initially reported the vulnerability on April 12 of this year.

However, Microsoft initially did not classify this as a security-related problem and rejected the message.

In the end, however, the software company recognized and sealed the gap as a remote code execution vulnerability in Windows.

The first indications of the vulnerability were found in a bachelor thesis by Benjamin Altpeter at the TU Braunschweig from August 2020. On page 29 of the work, Altpeter describes the ms-msdt:-Attack vector. Directly below follows a reference to a comparable vulnerability in the search-ms:– Windows protocol handler. Cyber ​​criminals could soon use this as a further avenue of attack; However, there are no reports on this yet.

Since the vulnerability in Windows is now being attacked by the first cybergangs, administrators and users should implement the countermeasure recommended by Microsoft and the protocol handler for ms-msdt: remove for now. Microsoft has provided the following instructions for this:

Users must first open an administrative command prompt. The command reg export HKEY_CLASSES_ROOTms-msdt saves the previous registry key to the file . Then delete the call to reg delete HKEY_CLASSES_ROOTms-msdt /f the relevant key. To restore it later, just call up reg import at the administrative command prompt.

Previous reports on the msdt zero-day vulnerability:
May 31, 2022 Zero-day vulnerability in MS Office: Microsoft makes recommendations
05/30/2022 Zero-day vulnerability in Microsoft Office allows code smuggling


To home page


#Zeroday #vulnerability #cybergangs #attack #MSDT #vulnerability

About the author


Leave a Comment