Specialists warn users over recently revealed vulnerability exploitation found in all supported versions of Windows. It has been observed that threat actors actively used vulnerability to install payloads such as AsyncRAT trojan and infostealer.
What Is Follina Vulnerability
On May 27, 2022 remote code execution (RCE) vulnerability known as Follina became public. And just days after the information had been circulated specialists observed several instances of its exploitation.
Follina (CVE-2022-30190) is a vulnerability found in the Microsoft Support Diagnostic Tool (MSDT) that allows for the RCE on all vulnerable systems. The exploitation of this vulnerability is possible through the ms-msdt protocol handler scheme.
For the successful exploitation of this vulnerability threat actors don’t need to use macros and then somehow to lure victims to enable it. With Follina they deploy specially crafted Word Document.
This document will download and load through Word’s template feature a malicious HTML file. Ultimately, threat actors can now load and execute PowerShell code within targeted Windows.
Microsoft has issued multiple workarounds and advisories to reduce the vulnerability risk.
How Follina Vulnerability Works
When the details concerning this vulnerability started to circulate on the internet, threat actors enthusiastically began to install their payloads.
For the successful exploitation of Follina threat actors use HTML documents that get executed under WinWord. Upon execution msdt.exe starts as a child process.
Protocol handler entry in the registry enables these processes. After this Sdiagnhost.exe gets into action. This is the Scripted Diagnostics Native Host that allows for the final payload to be created — in the case of Follina it is PowerShell.
With Follina Vulnerability Threat Actors Can Install AsyncRAT and Browser Infostealer
It has been observed that threat actors have used quite a variety of payloads in the course of successful exploitation. In one of such instances threat actors deployed the remote access Trojan AsyncRAT with valid digital signature.
When this trojan runs it checks for the presence of antivirus software. But the main function of this malware is to collect various information on the targeted system like operating system information, executed path, user name, hardware identification, etc and send it back to command-and-control (C&C) server.
Having done the task malware waits for further commands from the C&C server and upon receiving them executes the commands on the targeted system.
Another instance of payload was browser infostealer which steals various browser information like saved login data, cookies from different web browsers such as Edge, Chrome, Firefox.
Follina Vulnerability Received It’s Patch
While the exploits of vulnerability are mainly done through malicious documents researchers also discovered other methods by which the exploit of Follina vulnerability can be successful.
Among them is the manipulation of HTML content in network traffic.
“While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” says Tom Hegel, senior threat researcher at security firm SentinelOne. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.”
First time Follina flaw was noticed in August 2020 by an undergraduate researcher. But the vulnerability was reported to Microsoft on April 21.
So far, the company proposed mitigation that involves usage of Microsoft Defender Antivirus for monitoring and blocking exploitation and disable a specific protocol within Support Diagnostic Tool.
The company acknowledged the fact that the vulnerability has been exploited in the wild and it has already patched the issue.
Talking about classification of the Follina vulnerability, specialists say they would describe it as previously unknown vulnerability or ‘zero-day’ vulnerability; Microsoft has yet to give its own classification to it.
APT actors were already seen exploiting the vulnerability
More disturbing is the fact that Follina vulnerability has been observed to be used in longer infection chains.
For example, researchers from security firm Proofpoint on May 30, 2022 have observed Chinese APT actor TA413 sending malicious URLs in emails which were disguised as if being sent from the Central Tibetan Administration.
Researchers add that Follina vulnerability has been used on different stages in threat actors infection chains which depended on used tactics and existing toolkits.
This vulnerability was also seen to be used against numerous targets in Nepal, Belarus, the Philippines, India and Russia.
According to Proofpoint’s vice president of threat research Sherrod DeGrippo the company identified numerous instances of vulnerability being used within phishing campaigns.
As we already mentioned, the vulnerability is present on all supported versions of Windows and can be exploited on Office ProPlus, Office 2021, Office 2013 through 2019 and Microsoft Office 365.
Follina received a 7.8 CVSS score.
Government workers in Europe and US also fallen victims of the vulnerability
In addition to targeting other different entities across various countries, specialists report attacks on government workers exploiting this particular vulnerability.
They say it were state sponsored hackers that had attempted to use the Follina vulnerability in Microsoft Office against U.S and E.U government targets via a phishing campaign.
So far researchers have not identified which government was behind an attack.
Malicious emails of the phishing campaign contained alluring texts promising in fake recruitment pitches 20 percent boost in salary. To learn more recipients were urged to open an accompanying email attachment.
Sherrod DeGrippo, vice president of threat research at Proofpoint in Twitter tweeted about the similar incident where about 10 company’s customers received over 1,000 messages with the same text.