Threat Advisory: Follina

A Japanese independent cybersecurity research group (@nao_sec) tweeted about a code execution vulnerability abusing the ms-msdt/: URI scheme in the Microsoft Office productivity suite, dubbed Follina, on 27/05/2022.

This vulnerability was previously highlighted in a paper by Benjamin Altpeter in 2020, but was only recently (12/04/2022) reported to Microsoft with a real-world exploitation example. Microsoft closed this report on 21/04/2022, stating it was not a security issue.

The original exploit works as follows: The user opens a non-malicious Microsoft Office file (Word,Excel,..) referencing a malicious remote HTML template file. The remote file is downloaded and the embedded payload (JavaScript) is executed, containing code to abuse the ms-msdt protocol, and invoke actions on the compromised host.

The Microsoft Diagnostics Tool invoking the malicious code (embedded by an attacker) will be executed even when macros are completely disabled. Opening any Microsoft Office file could potentially lead to being compromised without knowing.

However, a zero-click version is also being spread in the wild. If the document is changed to an RTF file, it is executed without opening the document through the preview pane in Explorer.

Due to the simplicity of the exploit and the many POCs spread around the internet, we expect the prevalence of the exploitation of this vulnerability to increase in the upcoming days.

Scope of the vulnerability

The identifier CVE-2022-30190 has been given to the Follina vulnerability.

Microsoft Office versions Office 2013, Office 2016, Office 2019, Office 2021, and Professional Plus editions are vulnerable.

Remediation

New update 16-06-2022: Microsoft has released security updates with the June 2022 cumulative Windows Updates to address Follina. While applying today's updates does not prevent Microsoft Office from automatically loading Windows protocol URI handlers without user interaction, it blocks PowerShell injection and disables this attack vector.

Mitigation

If Microsoft Defender’s Attack Surface Reduction (ASR) rules are utilised in your environment, activating the rule “Block all Office applications from creating child processes” in Block mode will prevent this from being exploited. However, if you’re not yet using ASR you may wish to run the rule in Audit mode first and monitor the outcome to ensure there’s no adverse impact on end users. 

Another option is to unregister the ms-msdt protocol. This prevents troubleshooters from being launched. However, editing registry keys is tricky and could lead to unforeseen issues. Therefore, it is suggested to backup the key before editing.

Procedure:

1. Backup the registry key:
   1. Enter the following in command prompt as admin:

   2. reg export HKEY_CLASSES_ROOT\ms-msdt regbackup

       

2. Delete the registry key:
   1. Enter the following in command prompt as admin:

   2. reg delete KEY_CLASSES_ROOT\ms-msdt /f

       

To restore the registry key after an official patch is released:

• Enter the following in command prompt as admin:

  • reg import regbackup

Detection

The successful exploitation of Follina can be detected by searching for command lines containing msdt.exe initiated by WINWORD.EXE, EXCEL.EXE, OUTLOOK.EXE, POWERPOINT.EXE.

Furthermore, the sdiagnhost.exe process will be spawned with conhost.exe child process, and any other processes summoned in the malicious payload, e.g. cmd.exe

Microsoft Defender:

DeviceProcessEvents| where ProcessCommandLine contains “msdt.exe”| where InitiatingProcessFileName has_any (@”WINWORD.EXE”, @”EXCEL.EXE”, @”OUTLOOK.EXE”, @"POWERPOINT.EXE")

Microsoft Defender for Endpoint contains 2 detection rules to monitor for Follina.
The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network:

• Suspicious behavior by an Office application
• Suspicious behavior by Msdt.exe

Hunting

Searching for post exploitation activity could include, but is not limited to:

• Any Office application spawning suspicious LOLBIN’s such as mshta.exe, powershell.exe, cmd.exe
• Any outgoing web traffic from user-agent Microsoft Office Existence Discovery

Whenever Office makes a remote connection, it is logged as a new entry in the following registry folder:

HKEY_USERS\$USER_SID\SOFTWARE\Microsoft\Office\$OFFIVE_VERSION\Common\Internet\Server Cache

YARA rules to hunt for Follina, provided by Florian Roth: https://github.com/Neo23x0/signature-base/pull/184/files 

Vulnerability Identification

InsightVM and Nexpose customers can assess their exposure to CVE-2022-30190 with an authenticated vulnerability check in the content release of May 31.
InsightIDR customers have a new detection rule added to their library to identify attacks related to this vulnerability: https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/ 

Threat advisory updates

This blog post will be continuously updated in case new findings are published. Reach out to info@davinsi.com if you need any assistance from our team of security experts.

We hope this threat advisory assists to react quickly to ongoing threats and urges the need for patching and security monitoring.

References

• https://twitter.com/nao_sec/status/1530196847679401984
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
• https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
• https://benjamin-altpeter.de/doc/thesis-electron.pdf, page 29