Follina Zero-Day Vulnerability - What you need to know

Written by Admin | Oct 20, 2022 1:43:40 PM

Researchers have reported that on Friday, May 27th, they found a zero-day vulnerability using Microsoft Office. CVE-2022-30190 or Follina had the cybercrime industry spending the weekend figuring out how to exploit this vulnerability.

How is Follina harmful?

Fake Word documents are sent as email attachments. These .doc and .rtf email attachments are not documents at all. When the user opens the attachment, it will infect the user's device using an 'ms-msdt' protocol scheme. Then it remotely executes malicious code with the intent of extracting protected data.

Microsoft is reporting that this threat is impacting all Microsoft-supported versions of Office. The best thing you can do is not open attachments from unknown senders.

What you need to know

It seems that some malicious actors have known about this for a while. Chinese APTs may have been exploiting Follina since early April 2022.
Microsoft confirmed that their Microsoft Window Support Diagnostic tool contained a vulnerability.
On May 27th, Twitter user nao_sec tweeted about a Microsoft word attachment that was being used to deploy HTML and execute PowerShell.

Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022

These malicious PowerShell commands execute Arbitrary Code Execution (ACE) attacks when opening or previewing Word Documents.
Follina works similarly to what was observed with Log4j. Malicious code quickly infects the user's device.
Researchers continue to find methods of execution and outcomes of the vulnerability.

How to protect your organization from Follina

Please share this information with your organization and make sure they read it. Be suspicious of any emails that you are not expecting. If you are expecting an email, verify that it is coming from an address you trust.

Use extreme caution when looking at Microsoft Word documents. If you don't know the sender, don't open or preview the email attachment.
Do not open an email or download software from untrusted sources.
Do not click on links or attachments in emails from untrusted sources.
Always verify the sender's email address, name, and domain before opening the email.

What do you do if you think an email is suspicious?

Please don't open it. Use email reporting tools to inform your IT or cybersecurity team immediately.

DKBinnovative is protecting our clients

The centralized services team at DKBinnovative has thoroughly tested and implemented a workaround to protect our managed service and managed security service clients until Microsoft releases a patch for this vulnerability. Keeping our client's data secure is our first priority so that they can focus on what they do best.

Update: Security researchers have discovered one of Microsoft's latest patches seems to resolve the Follina vulnerability but has yet to make any official announcements. For this reason, DKBinnovative is keeping mitigations in place until further notice.

View full post