The zero-day vulnerability discovered on Monday of this week in Microsoft’s support tool MSDT has apparently made it into the cybergangs’ toolboxes. The IT security company Proofpoint reports on a Chinese cybergang that is attacking members of the international Tibetan community in particular with maliciously manipulated documents – and using the zero-day vulnerability to do so.
The Chinese cybergang, dubbed TA413, has been reported to have focused on targeting members of the Tibetan community in the past. But European diplomats, legislative bodies, non-profit organizations and global economic organizations have also been reportedly targeted by TA413.
Microsoft reports attacks in the wild
In the attacks now observed, the criminals sent links to ZIP archives, which in turn contained Word documents with the exploit of the vulnerability. The campaign mimics the Central Tibetan government’s Women Empowerments Desk.
The US cyber security authority CISA also warns of the zero-day vulnerability and advises IT managers to use the known workaround. The warning comes with the note that Microsoft is now reporting active abuse of the vulnerability in the wild.
MSDT vulnerability known for some time
There are also increasing indications that the vulnerability was noticed a long time ago. The IT security researcher CrazymanArmy posted screenshots of the course of an error message to Microsoft on Twitter, showing that he had initially reported the vulnerability on April 12 of this year.
However, Microsoft initially did not classify this as a security-related problem and rejected the message.
In the end, however, the software company recognized and sealed the gap as a remote code execution vulnerability in Windows.
First report in older research work
The first indications of the vulnerability were found in a bachelor thesis by Benjamin Altpeter at the TU Braunschweig from August 2020. On page 29 of the work, Altpeter describes the
ms-msdt:-Attack vector. Directly below follows a reference to a comparable vulnerability in the
search-ms:– Windows protocol handler. Cyber criminals could soon use this as a further avenue of attack; However, there are no reports on this yet.
Since the vulnerability in Windows is now being attacked by the first cybergangs, administrators and users should implement the countermeasure recommended by Microsoft and the protocol handler for
ms-msdt: remove for now. Microsoft has provided the following instructions for this:
Users must first open an administrative command prompt. The command
reg export HKEY_CLASSES_ROOTms-msdt saves the previous registry key to the file
. Then delete the call to
reg delete HKEY_CLASSES_ROOTms-msdt /f the relevant key. To restore it later, just call up
reg import at the administrative command prompt.
Previous reports on the msdt zero-day vulnerability:
May 31, 2022 Zero-day vulnerability in MS Office: Microsoft makes recommendations
05/30/2022 Zero-day vulnerability in Microsoft Office allows code smuggling
#Zeroday #vulnerability #cybergangs #attack #MSDT #vulnerability