Over Memorial Day weekend, a Microsoft zero-day vulnerability was discovered and found to be exploited within Microsoft and Windows applications. CVE-2022-30190 is specifically exploited through crafted Office documents, even with macros disabled. The vulnerability, dubbed “Follina”, allows attackers to run malicious code on targeted systems.
Nao Sec, a Japanese security vendor, discovered the flaw and posted a warning on Twitter. The document discovered by Nao Sec used Word’s external link to load the HTML and then used the “ms-msdt” (Microsoft Support Diagnostic Tool) scheme to implement PowerShell code. MSDT is a tool that collects information and sends it to Microsoft Support. The ‘Protected View’ feature in Microsoft Office does prevent exploitation, but if a document is changed to RTF format, it will run without the document being open. The abuse of MSDT is not new as found through the living-off-the-land binaries (LoLBins) technique.
If a bad actor is able to exploit Follina, they will be able to install programs, change, view, or delete data, and create new accounts. Although there aren’t any patches for the vulnerability, Microsoft has released tools to mitigate damage.
Follina currently affects Microsoft 2013 and 2016, as well as the most recent version of Microsoft Office. Please see the below recommendations for mitigations regarding Follina.
How Ntirety is Protecting our Customers:
We are implementing Ntirety’s Extended Detection and Response (XDR) as a prevention method. Our XDR is a combination of monitoring software like Ntirety’s SIEM, combined with endpoint protection. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions.
Microsoft has released workaround guidance to address “Follina”—affecting the MSDT in Windows. An unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability within their applications.
Ntirety and Microsoft recommend the following workarounds for Follina:
Disable the MSDT URL Protocol to prevent troubleshooters from launching as links.
Run Command Prompt as Administrator.
To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“.
Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
Disable Troubleshooting Wizards completely via GPO.
Run this command: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics /f /v EnableDiagnostics /d 0 , with an admin prompt to set the Enable Diagnostics key to 0, disabling Microsoft Troubleshooter.
For those with MS Defender Anti-Virus they should turn on cloud-delivered protection and automatic sample submission.
For those with Microsoft Defender for Endpoint enable the attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy.
The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:
Suspicious behavior by an Office application
Suspicious behavior by Msdt.exe
Indicators of Compromise (IoCs):
At this time, there are no known IoCs associated with Follina. Ntirety SOC and threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Ntirety will disclose them as soon as possible. For more information on how Ntirety can help protect your organization, reach out to your Ntirety Customer Success Manager or Technical Account Manager.