Over the holiday weekend, a Windows/Office zero-day vulnerability was discovered and found to be exploited in the wild. CVE-2022-30190 is exploited via specially crafted Office documents, even with macros disabled. The vulnerability has been given then name “Follina” and allows attackers to run malicious code on targeted systems.
A Japanese security vendor (Nao Sec) discovered the flaw and issued a warning via Twitter. Follina abuses the remote template feature in Microsoft Word to retrieve a HTML Template from a remote URL. The document that Nao Sec saw in the wild used Word’s external link to load the HTML and then used the “ms-msdt” scheme to execute PowerShell code. MSDT stands for Microsoft Support Diagnostic Tool, a tool that collects information and sends it to Microsoft Support. The ‘Protected View’ feature in Microsoft Office does prevent exploitation, but if a document is changed to RTF format, it will run without even opening the document.
The above technique is known as template injection and has been used by known threat actors such as Lazarus and APT 28. If an attacker is able to successfully exploit Follina, they will be able to install programs, change, view, delete data, and create new accounts in the context allowed by the user’s rights. Although there aren’t any patches for the vulnerability, Microsoft has released workarounds.
The free version of Windows Defender does not detect Follina’s code execution behavior as malicious, but the original payload is detected by the enterprise Defender of Endpoint. Additionally, there is a functional proof of concept (POC) code available. Follina currently affects Microsoft 2013 and 2016, as well as the most recent version of Microsoft Office. Please see the below recommendations for mitigations regarding Follina.
Avertium and Microsoft recommend the following workarounds for Follina:
At this time, there are no known IoCs associated with Follina. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.
Related Reading: Flash Notice: Microsoft Azure OMIGOD Vulnerability