“Follina”- a Microsoft Office Zero-Day Remote Code Execution Vulnerability
June 1, 2022 by Ntirety
On May 28th, 2022, a Windows/Office zero-day vulnerability was discovered and found to be exploited in the wild. CVE-2022-30190 is exploited via specially crafted Office documents, even with macros disabled. The vulnerability has been given then name “Follina” and allows attackers to run malicious code on targeted systems.
A Japanese security vendor (Nao Sec) discovered the flaw and issued a warning via Twitter. Follina abuses the remote template feature in Microsoft Word to retrieve a HTML Template from a remote URL. The document that Nao Sec saw in the wild used Word’s external link to load the HTML and then used the “ms-msdt” scheme to execute PowerShell code. MSDT stands for Microsoft Support Diagnostic Tool, a tool that collects information and sends it to Microsoft Support. The ‘Protected View’ feature in Microsoft Office does prevent exploitation, but if a document is changed to RTF format, it will run without even opening the document.
The above technique is known as template injection and has been used by known threat actors such as Lazarus and APT 28. If an attacker is able to successfully exploit Follina, they will be able to install programs, change, view, delete data, and create new accounts in the context allowed by the user’s rights. Although there aren’t any patches for the vulnerability, Microsoft has released workarounds.
The free version of Windows Defender does not detect Follina’s code execution behavior as malicious, but the original payload is detected by the enterprise Defender of Endpoint. Additionally, there is a functional proof of concept (POC) code available. Follina currently affects Microsoft 2013 and 2016, as well as the most recent version of Microsoft Office. Please see the below recommendations for mitigations regarding Follina.
How Ntirety is Protecting our Customers
Implement Ntirety’s Extended Detection and Response, XDR, as a prevention method. Our XDR is a combination of monitoring software like Ntirety’s SIEM, combined with endpoint protection. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions.
Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability in the wild.
Ntirety and Microsoft recommend the following workarounds for Follina:
Disable the MSDT URL Protocol to prevent troubleshooters from being launched as links.
Run Command Prompt as Administrator.
To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“.
Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
Disable Troubleshooting Wizards completely via GPO.
Run this command: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics /f /v EnableDiagnostics /d 0 , with an admin prompt to set the Enable Diagnostics key to 0, disabling Microsoft Troubleshooter.
For those with MS Defender Anti-Virus they should turn on cloud-delivered protection and automatic sample submission.
For those with Microsoft Defender for Endpoint enable the attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy.
The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:
Suspicious behavior by an Office application
Suspicious behavior by Msdt.exe
Indicators of Compromise (IoCs)
At this time, there are no known IoCs associated with Follina. Ntirety SOC and threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Ntirety will disclose them as soon as possible. For more information on how Ntirety can help protect your organization, reach out to your Ntirety Customer Service Manager or Technical Account Manager.