Threat Synopsis – Follina
Follina (CVE-2022-30190) or the remote code execution vulnerability discovered that will abuse the Microsoft Windows Support Diagnostic Tool (MSDT.exe) in order to exploit and execute remote code was observed in Late May of 2022. The vulnerability itself was first mentioned by a security research group named “Nao Sec” via Twitter on May 27th and acknowledged by Microsoft on May 31st. Since then it has been confirmed to have been spotted in the wild, being exploited by threat groups such as TA413 who are linked to the Chinese government, as well as initial attacks apparently observed targeting the Philippines, Nepal and India earlier in the year. The Microsoft Windows Support Diagnostic Tool is typically utilized by the operating system as a troubleshooting wizard (collecting and sending system information back to Microsoft Support), and is native to all versions of Microsoft Windows. It is also worth noting that the vulnerability also has been proven exploitable in versions of Microsoft Office: 2013, 2016, 2019, 2021, Office ProPlus and Office 365.
The severity of Follina has been scored at 7.8 by the CVSS rating system, and has been observed to be delivered via malicious Microsoft Word “.doc” files. Exploitation of this vulnerability has been observed to take advantage of Microsoft Word remote templates in order to retrieve an HTML file, which then uses the ms-msdt MSProtocol URI scheme to load the malicious code and execute PowerShell. Note that although observed cases thus far has exploited the use of Microsoft Word and Outlook, potentially any office product which handles oleObject relationships is exploitable by a threat actor. What stands out, is the code being executed via MSDT even with macros being disabled. Due to the existence of MSDT in Microsoft Windows systems and the ubiquity of Microsoft Office globally, as well as the ongoing threat of phishing e-mails leading to infection, the vulnerability is important to be ascertained and prepared for.
The discovery of Follina (or CVE-2022-30190) in late May 2022 immediately became a hot topic, due to the potential threat of Remote Code Execution (RCE) via malicious Microsoft Office document, and thus the reach across people vulnerable – it is worth it to note that the attack happens locally and user input is necessary for execution, thus as the Fortinet analysis states, the “remote” aspect is referring to the location of the attacker. Follina allows RCE in environments by taking advantage of a vulnerability found in the Microsoft Support Diagnostic Tool (MSDT) which is native to Windows operating systems, and is delivered by malicious Microsoft Office documents loading HTML files from a remote location and executing malicious PowerShell commands.
As noted in MSRC’s (Microsoft Security Response Center) blog, the threat actor potentially can install malicious programs, access/modify/delete data, and create user accounts on a victim’s system. As of today there has not been an official patch release from Microsoft, but the MSRC’s blog covers potential mitigation measures that can be utilized until one is released.
Aforementioned mitigation measures and more information can be found in MSRC’s blog found here: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability