I. Targeted Entities

  • Microsoft Office users

II. Introduction

Microsoft has recently established a workaround for a zero-day vulnerability, known as Follina, for Microsoft Office applications, such as Word, after being originally identified back in April. This vulnerability is a remote control execution (RCE) flaw, and if successfully exploited, threat actors have the ability to install programs, view, change, or delete data on targeted systems. The RCE is associated with the Microsoft Support Diagnostic Tool (MSDT) which, ironically, collects information about bugs in the company’s products and reports them to Microsoft Support.

III. Background Information

Microsoft explained that “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word…An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application”.[1] The workaround comes about six weeks after the vulnerability was first seen by researchers from Shadow Chaser Group on April 12th and reported to Microsoft on April 21st. The vulnerability was noticed in a bachelor’s thesis from August 2020, with attackers seemingly targeting Russian users.[2] A Malwarebytes Threat Intelligence analyst also found the flaw back in April but could not fully identify it. The company posted a tweet on the same day, April 12th.[2]

At first, when the flaw was first reported, Microsoft did not consider the flaw an issue. But now, it is clear that the vulnerability should be taken seriously, with Japanese security vendor Nao Sec tweeting a fresh warning, noting that the vulnerability was targeting users in Belarus. Security researcher Kevin Beaumont called the vulnerability Follina; the name comes from the zero-day code references to the Italy-based area code of Follina (0438).[2]

There is no fix for the flaw, but Microsoft recommends that affected users disable the MSDT URL to rectify the flaw for now. Disabling the MSDT URL, “prevents troubleshooters being launched as links including links throughout the operating system.”[2] To disable the MSDT URL, users should follow these steps:

  1. Run Command Prompt as Administrator
  2. Back up the registry key by executing the command “reg export HKEY_CLASSES_ROOTms-msdt filename
  3. Execute the command “reg delete HKEY_CLASSES_ROOTms-msdt /f” [2]

Microsoft says that the troubleshooters can still be accessed using the Get Help application and by using the system settings. Microsoft also says that if the calling application is an Office program, Office will open the document in Protected View and Application Guard for Office, which Microsoft says will “prevent the current attack.” However, Beaumont refuted that assurance in his analysis of the bug.[2] Microsoft also plans on updating CVE-2022-3019 with further information but did not specify when it would do so.[2]

Meanwhile, the unpatched flaw poses a significant threat. One reason is that the flaw affects a large number of people, given that it exists in all currently supported Windows versions and can be exploited via Office versions 2013-2019, Office 2021, Office 365, and Office ProPlus.[2] Another reason is that the flaw poses a major threat in its execution without action from the end-user. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious code payload.[2] Since the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks.[2]

Researchers say that this flaw is similar to last year’s zero-click MSHTML bug (CVE-2021-40444), which was pummeled by attackers, including the Ryuk ransomware gang. In fact, threat actors already pounced on this vulnerability. Proofpoint Threat Insight tweeted that threat actors were using the vulnerability to target organizations in Tibet by impersonating the “Women Empowerments Desk” of the Central Tibetan Administration. Moreover, the workaround Microsoft currently offers itself has issues and won’t provide much of a long-term fix. It is not friendly for admins because the workaround requires users to change their Windows Registry, says Aviv Grafti, CTO and founder of Votiro.[2]

IV. MITRE ATT&CK

  • T1219 – Remote Access Software
    An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks.
  • T1218 – System Binary Proxy Execution
    Threat actors bypass signature-based defects by proxying the execution of malicious content with signed, or trusted binaries. This technique often involves Microsoft-signed files, which indicates that the binaries were either downloaded from Microsoft or already native to the operating system.
  • T1221 – Template Injection
    Threat actors create or modify references in user document templates to conceal malicious code or force authentication attempts.
  • T1566 – Phishing
    Adversaries may utilize methods like phishing that involve social engineering techniques, such as posing as a trusted source.

V. Recommendations

  • Phishing Awareness Training
    Users should be informed and educated about new kinds of phishing scams currently being used and ones that have been used in the past. Awareness training should instruct users to avoid suspicious emails, links, websites, attachments, etc. Users should also be educated about new types of attacks and schemes to mitigate risk. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
  • Set Antivirus Programs to Conduct Regular Scans
    Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures.
  • Disable Microsoft Support Diagnostic Tool
    Microsoft recommends the affected users disable the MSDT URL to mitigate this vulnerability, as no patch yet exists for the flaw.
  • Strong Cyber Hygiene
    Enforce a strong password policy across all networks and subsystems. Remind users to be wary of any messages asking for immediate attention, links, downloads, etc. All sources should be verified. Recommended link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a
  • Turn on Endpoint Protection
    Enable endpoint detection and response (EDR) to stop unknown malware in the product you’re using.

VI. Indicators of Compromise (IOCs)

Because the HTTP GET request headers are out of order when compared to “typical” patterns, a custom-developed DDoS attack tool is assumed to be used, and it is possible that the values might change between campaigns. As such, Larry Cashdollar, a researcher at Akamai, says that writing signatures for these patterns may not benefit defenders from an IOC standpoint. More information can be found at the link below:

https://www.akamai.com/blog/security/revil-resurgence-or-copycat

VII. References

(1) Microsoft Security Response Center, ed. “Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability.” Microsoft Security Response Center, May 30, 2022. https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/.

(2) Montalbano, Elizabeth. “Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack.” Threatpost English Global, June 1, 2022. https://threatpost.com/microsoft-workaround-0day-attack/179776/.Threat Advisory created by the Cyber Florida Security Operations Center.

Contributing Security Analysts: Dorian Pope, Sreten Dedic, EJ Bulut, Uday Bilakhiya, Tural Hagverdiyev.