Follina is proving to be a threat to system administrators around the world as new reports emerge about the vulnerability being used to distribute information stealers, Trojans, and ransomware.
Cybersecurity researchers at Proofpoint discovered that known threat actors such as TA570 were using the Follina flaw to infect endpoints (opens in a new tab) with Qbot, while NCC Group discovered that Black Basta, a well-known group of ransomware, further abused it.
Qbot, also known as Qakbot, Quakbot, or Pinkslipbot, is a banking Trojan and information stealer that has been in use for more than a decade. Threat actors looking to distribute the info stealer typically opt for a combination of phishing and exploit exploitation, tricking people into visiting malicious websites that, through various vulnerabilities, end up downloading the Trojan horse onto the device. .
Black Enough emerges
Qbot is capable of inflicting a lot of damage, saving keys, exfiltrating cookies, blocking processes, but it also acts as a dropper for second-stage viruses, malware (s'opens in a new tab), or ransomware. This is exactly the hand that Black Basta plays.
A relatively new entrant to the ransomware space, Black Basta has been observed by the NCC Group, using Qbot to move laterally through compromised networks and deploying their ransomware (opens in a new tab).
The group first appeared in April of this year, addressing the American Dental Association directly, the publication recalls. It uses double extortion tactics (theft and encryption of sensitive data) to force victims to pay ransom.
Follina, also tracked as CVE-2022-30190, is a flaw found in the Windows Support Diagnostic Tool. It can be abused to remotely execute code, causing programs such as Office Word to display the tool from a specially crafted document, when opened.
Microsoft acknowledged the existence of the flaw and promised to work on a fix. Until that happens, threat actors are actively using the flaw. Among the confirmed attacks is one against the international Tibetan community, carried out by a known Chinese state-sponsored threat actor called TA413.
Via: The Registry (Opens in a new tab)