From the moment any data system comes online, it is […]
Of all the threatening hacker groups out there, one of the […]
As we continue our series of articles on state-sponsored cyberattack groups, […]
See how securing your environment with Ntirety’s Comprehensive Compliant Security solution can save you money with our ROI Calculator.
Overview This event technology company provides customers with best-in- class […]
OVERVIEW What started as a niche company to bridge two […]
Michigan Mutual is a mortgage broker founded in 1992 by […]
In this episode, we talk with Tony Scribner of Ntirety, […]
Emil Sayegh is a well established executive in product and […]
Today we’ll be talking about hybrid cloud, security, and Maslow’s […]
On May 28th, 2022, a Windows/Office zero-day vulnerability was discovered and found to be exploited in the wild. CVE-2022-30190 is exploited via specially crafted Office documents, even with macros disabled. The vulnerability has been given then name “Follina” and allows attackers to run malicious code on targeted systems.
A Japanese security vendor (Nao Sec) discovered the flaw and issued a warning via Twitter. Follina abuses the remote template feature in Microsoft Word to retrieve a HTML Template from a remote URL. The document that Nao Sec saw in the wild used Word’s external link to load the HTML and then used the “ms-msdt” scheme to execute PowerShell code. MSDT stands for Microsoft Support Diagnostic Tool, a tool that collects information and sends it to Microsoft Support. The ‘Protected View’ feature in Microsoft Office does prevent exploitation, but if a document is changed to RTF format, it will run without even opening the document.
The above technique is known as template injection and has been used by known threat actors such as Lazarus and APT 28. If an attacker is able to successfully exploit Follina, they will be able to install programs, change, view, delete data, and create new accounts in the context allowed by the user’s rights. Although there aren’t any patches for the vulnerability, Microsoft has released workarounds.
The free version of Windows Defender does not detect Follina’s code execution behavior as malicious, but the original payload is detected by the enterprise Defender of Endpoint. Additionally, there is a functional proof of concept (POC) code available. Follina currently affects Microsoft 2013 and 2016, as well as the most recent version of Microsoft Office. Please see the below recommendations for mitigations regarding Follina.
Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability in the wild.
CISA urges users and administrators to review Microsoft’s Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability and apply the necessary workaround.
Ntirety and Microsoft recommend the following workarounds for Follina:
At this time, there are no known IoCs associated with Follina. Ntirety SOC and threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Ntirety will disclose them as soon as possible. For more information on how Ntirety can help protect your organization, reach out to your Ntirety Customer Service Manager or Technical Account Manager.
