Security
Headlines
HeadlinesLatestCVEs

Headline

Fighting Follina: Application Vulnerabilities and Detection Possibilities

Although organizations should perform proper risk analysis and patch as soon as practical after there’s a fix for this vulnerability, defenders still have options before that’s released.

DARKReading
#vulnerability#web#mac#windows#microsoft#intel#rce#perl#zero_day

On May 27, 2022, researchers from Japan-based nao_sec identified a malicious document in a commercial malware repository, dubbed “Follina,” that revealed the document employed a novel technique to achieve code execution. [Note: Read Dark Reading’s earlier coverage on Follina.] While referencing a remote object, similar to techniques like template injection, the document retrieves the following URL:

hXXps://www.xmlformats[.]com/office/word/2022/wordprocessingDrawing/RDF842l.html!

When still active, the URL hosted content that included follow-on code to execute PowerShell via an explicit call to the application "ms-msdt":

MSDT is a diagnostic tool included in Windows. As shown above, MSDT can be used to parse and execute code, such as PowerShell, and can be called through parsing a malicious resource. Abuse of MSDT isn’t new, as the technique previously has been documented among known “living off the land” binary (LOLBins) abuse. However, its use via a URL redirection called from Microsoft Office was previously unknown, expanding scope of potential MSDT abuse to remote mechanisms.

Since initial reporting, Microsoft issued CVE-2022-30190 to cover this remote code execution (RCE) possibility within MSDT when called through another application. While a patch for this vulnerability has not yet been released, several mitigation strategies exist (covered in greater detail below).

As of this writing, actual abuse of this technique appears to be limited, but with examples dating back to as early as April 2022. Public disclosure and researcher notes identify only a few instances of malicious use of MSDT via Microsoft Office applications. However, since public identification, multiple proofs of concept for this technique emerged, and Gigamon Applied Threat Research (ATR) anticipates that multiple threat actors will soon incorporate this technique into operations.

Impact

At present, the impact of CVE-2022-30190 is largely notional given lack of identified widespread use by threat actors. Once this technique is absorbed into existing actor toolkits, however, circumstances will change, with the potential for use by multiple threat actors. On initial discovery, endpoint detection and response (EDR) solutions appeared largely blind to this execution mechanism, but as of this writing that is rapidly changing across multiple vendors and products. Furthermore, as explained in guidance from Microsoft, MSDT’s capability to launch items as links can be disabled via changes to the Windows Registry, removing this intrusion vector (with the potential for unforeseen or undesired consequences) until a true patch is available.

More importantly, while much initial discussion focused on the Office mechanism for triggering this issue, CVE-2022-30190 is application-agnostic in functionality, which centers on passing code to MSDT for execution. While Office represents an obvious mechanism to reach this application through delivery of a document via phishing or malicious link, any mechanism of launching MSDT will work to enable follow-on RCE such as a malicious LNK file or via the implementation of “wget” in Windows. The Office route presents just one of many potential avenues for exploitation, with other possibilities of MSDT abuse publicly documented.

For defenders and end users, the risk is therefore not just a new malicious Office delivery vector but, rather, abuse of an internal Windows component (MSDT) for code execution via multiple potential vectors. As such, certain mitigations (such as stopping all child processes from Office applications) represent only partial fixes to one aspect of the problem. To appropriately determine the scope and risk of this scenario, defenders must orient how MSDT abuse, irrespective of vector, applies to adversary operations.

Orienting to Adversary Operations

As documented thus far, MSDT is leveraged in early phases of adversary operations as an initial access mechanism to victim machines. As noted by other researchers, MSDT abuse via Office results in follow-on execution with the same privileges as the active user. This is helpful if victims are running as unprivileged users, but given the wealth of mechanisms available to elevate privileges in Windows environments, this limitation would appear to be easily overcome by most adversaries.

However, even if an adversary can access and elevate privileges to a victim device, this specific action represents only one, relatively early step in the overall adversary life cycle, or “kill chain.” Appropriately leveraging this vulnerability still requires follow-on actions, including command and control (C2) and lateral movement activity, that present options to defenders for identifying adversary operations. Furthermore, there are precursor actions to code execution via MSDT that defenders can leverage to identify suspicious behaviors leading to exploitation.

Overall, CVE-2022-30190 represents a concern, but only one of many potential avenues available to adversaries to achieve initial code execution in victim environments. By properly understanding how adversaries employ this technique and what are necessary pre- and post-exploit actions to achieve adversary objectives, defenders can begin identifying detection, response, and hunting strategies that work against multiple potential intrusion vectors.

Detection and Mitigation Possibilities

  1. Focus on patching and host-based responses. The initial security community focus for MSDT abuse mitigation focused on patching (or the inability to do so) and host-based responses. As a host-focused exploitation mechanism, such an approach appears reasonable, and patching will be the most effective way of addressing this specific security issue. Additionally, process parent-child relationship monitoring (or outright blocking) can significantly reduce attack surface by preventing entire categories of intrusion, such as Office or MSDT spawning child processes. Specifically unregistering the URI handler for MSDT in the Windows Registry, as outlined by Microsoft and security researchers, may also temporarily address the issue.
  2. Look for pre- and post-exploitation activity. As noted in the previous section though, defenders should strive for detections and mitigations that can apply irrespective of specific exploits by looking at required adversary actions pre- and post-exploitation. For example, in the case of CVE-2022-30190, current delivery mechanisms focus on Office implementations. Likely future implementations will probably expand to other file formats commonly distributed via email or malicious websites, such as LNK files, self-extracting archives, and optical disk images. Identifying and increasing visibility over these distribution pathways, limiting exposure to unknown or untrusted vectors, and similar actions may thus reduce attack surface against multiple types of delivery mechanisms that can be used for payloads beyond MSDT exploitation.
  3. Identify potential C2 or lateral movement mechanisms. Post-exploitation, various opportunities exist for identifying C2 or lateral movement mechanisms even if initial exploitation is missed. Following initial access, threat actors will in most cases need to migrate to other areas of the network: repositories of intellectual property or sensitive information, or critical network infrastructure such as domain controllers. The actions required to do so — such as enumerating Active Directory or remote process execution — present opportunities even without host monitoring to identify adversary operations.
  4. Identify and classify network assets. Further actions, such as identifying and (if possible) classifying newly observed network items (IP addresses and domain names) may allow for disclosure of unique C2 items. Where appropriate asset identification is enabled, identifying odd network traffic to new, unusual remote resources can further enable defenders to catch and categorize potentially malicious activity. Identifying unusual traffic based on User Agent strings when visible — such as a PowerShell-based User Agent string retrieving an executable file based on file MIME type or extension, as seen in the initial CVE-2022-30190 example — can further enhance visibility into insecure or undesirable network behaviors.

Overall, a variety of options remain available to network defenders even if the actual exploitation of a new, potentially unknown (or “zero-day”) vulnerability takes place. Understanding one’s own network and its characteristics combined with sufficient visibility into network and host behaviors allows defenders to ask (and answer) questions concerning activities of interest to flag the necessary preconditions and follow-on actions adhering to vulnerability exploitation. While not necessarily easy in all cases, proper investment in resources and people will allow organizations to achieve a redundant security posture capable of catching zero-day exploitation, supply chain intrusions, or state-sponsored attacks.

Conclusion

Software and application vulnerabilities are a continuous and ongoing problem in the information security space. CVE-2022-30190 represents just another example of such vulnerabilities that have the potential to facilitate adversary operations. While organizations should perform proper risk analysis and patch as soon as practical once there’s a fix for this vulnerability, defenders are not lost prior to release.

Instead, by understanding how adversaries leverage exploits as part of the intrusion life cycle, defenders and network owners can structure detections and defense so that they are agnostic to specific vulnerabilities. Rather than continuously chasing specific weaknesses as they appear over time, such as specific defenses around CVE-2022-30190 weaponization, defenders can structure operations to look for necessary precursors to exploit development (reconnaissance, delivery) or required follow-on actions to achieve objectives (C2, lateral movement).

In building defense and response this way — focused on core behaviors and adversary dependencies — defenders can build a more sustainable security posture that can adapt to future, yet-to-be-discovered vulnerabilities along with current, known tradecraft. Through layering behavior-based detections along with patching, signatures, and other items, defenders can achieve the requisite defense-in-depth necessary to adapt to a dynamic threat environment, without relying on single-point-of-failure defenses easily evaded by capable adversaries.

Related news

Major Cybersecurity Agencies Collaborate to Unveil 2022's Most Exploited Vulnerabilities

A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five

XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks

Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. "The attack campaign has been leveraging rather

Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware

A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show. Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT. The

Microsoft Patch Tuesday August 2022: DogWalk, Exchange EOPs, 13 potentially dangerous, 2 funny, 3 mysterious vulnerabilities

Hello everyone! In this episode, let’s take a look at the Microsoft Patch Tuesday August 2022 vulnerabilities. I use my Vulristics vulnerability prioritization tool as usual. I take comments for vulnerabilities from Tenable, Qualys, Rapid7, ZDI and Kaspersky blog posts. Also, as usual, I take into account the vulnerabilities added between the July and August […]

Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws

August Patch Tuesday tackles 121 CVEs, 17 critical bugs and one zero-day bug exploited in the wild.

New Woody RAT Malware Being Used to Target Russian Organizations

An unknown threat actor has been targeting Russian entities with a newly discovered remote access trojan called Woody RAT for at least a year as part of a spear-phishing campaign. The advanced custom backdoor is said to be delivered via either of two methods: archive files and Microsoft Office documents leveraging the now-patched "Follina" support diagnostic tool vulnerability (CVE-2022-30190)

Empower Your Security Operations Team to Combat Emerging Threats

When examining the modern threat landscape, empowering your security operations and overcoming the limitations inherent with other malware prevention solutions is imperative.

You Need to Update Windows and Chrome Right Now

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

Russia's APT28 Launches Nuke-Themed Follina Exploit Campaign

Researchers have spotted the threat group, also known as Fancy Bear and Sofacy, using the Windows MSDT vulnerability to distribute information stealers to users in Ukraine.

Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware. Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism

Microsoft Patch Tuesday, June 2022 Edition

Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that's seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.

Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability

An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. The issue — referenced as DogWalk — relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a

Microsoft Office Word MSDTJS Code Execution

This Metasploit module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an HTML document and then use the ms-msdt scheme to execute PowerShell code.

State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S

A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S. Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked CVE-2022-30190 (CVSS score: 7.8). No less than 1,000 phishing messages

Threat Source newsletter (June 2, 2022) — An RSA Conference primer

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter.  Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!   Talos... [[ This is only the beginning! Please visit the blog for the complete entry ]]

CVE-2022-30190

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day

FAQ for the new Follina zero-day vulnerability. What you can do to protect your computers right now. The post FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day appeared first on Malwarebytes Labs.

Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

By Waqas The Follina vulnerability was originally discovered after a malicious Microsoft Word document was uploaded on VirusTotal from a… This is a post from HackRead.com Read the original post: Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability

An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems. "TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in

Microsoft Office MSDT Follina Proof Of Concept

Proof of concept for the remote code execution vulnerability in MSDT known as Follina.

Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation

Microsoft on Monday published guidance for a newly discovered zero-day security flaw in its Office productivity suite that could be exploited to achieve code execution on affected systems. The weakness, now assigned the identifier CVE-2022-30190, is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the … Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Read More »

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel