Follina — Microsoft Office code execution vulnerability
Microsoft tracked as CVE-2022-30190 a new vulnerability, also called “Follina,” that leverages Microsoft Office to lure victims and execute code without their consent. As mentioned by Microsoft, “a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word.”
The first campaign in the wild taking advantage of this vulnerability was noticed on May 27, 2022, by a security researcher (@nao_sec) on Twitter.
Figure 1: First sample of Follina remote code execution flaw.
Learn Vulnerability Management
The Phishing wave
According to the researcher, the sample was obtained from the VirusTotal platform. Its low detection rate was alarming; only four security vendors detected the document was malicious.
The phishing wave linked to the malicious document refers to an “increase in salary.” The author behind the threat used an RTF, with the payload downloaded from a remote server in Japan.
Figure 2: Phishing template and MS Office file with the malicious payload.
However, some weeks before (back to April 2022), a file-themed “invitation for an interview” targeting users in Russia was also uploaded to VirusTotal. According to the researchers, it takes advantage of the same strategy and uses the Follina flaw to infect the victims.
Figure 3: Follina vulnerability exploited in April 2022 in Russia.
Also in April 2022, other templates were found on VirusTotal exploiting this flaw — a clear sign that criminals may have been exploiting this vulnerability for some time.
Figure 4: Other MS Office templates taking advantage of Follina's flaw to attack users worldwide.
The real danger of this threat can be devastating because it affects all Microsoft Office versions. This means that all the machines with Microsoft Windows and MS Office installed can be vulnerable, including the last Windows Server 2022.
One of the reasons it is effective is that it uses no macros to perform the attack chain. With a single click on the infected MS Office file, the exploit will run and execute the infection chain without the usual alert to “Enable the Macros Features.”
The high-level diagram of the Follina vulnerability is shown below.
Figure 5: High-level diagram of Follina vulnerability.
These simple steps:
- Crooks start a new phishing wave and send an email to lure the victims with an MS Office file containing the exploit.
- The user opens the MS Office file. After that, the first payload executes via a controlled external resource hardcoded in the “document.xml.ref” file.
- The Follina payload is transmitted to the victims’ side.
- The code executes additional payloads, PowerShell commands and so on. It abuses the legitimate Microsoft Support Diagnostic Tool.
Follina and the Microsoft Diagnostic Tool
The Follina exploits execute an external reference pointing to a malicious server. By analyzing the file, it’s possible to find the target file “document.xml.rels” where the OLE Object external reference is present.
Figure 6: Target file where the malicious OLE object external reference is available.
Every time the MS Office document is executed, the external resource is loaded from the hardcoded address present in Figure 6 that responds with a malicious payload containing an ms-msdt: command-invoking PowerShell Script.
Figure 7: External resources loaded by the malicious MS Office file when executed.
Digging into the resource details, the ms-msdt Powershell script is loaded remotely and executed. As observed below, part of the content is encoded via Base64.
Figure 8: ms-msdt Powershell script used during the Follina malicious chain.
After decoding the Base64 payload, the plain text indicates a new payload is downloaded from the internet and executed.
Figure 9: Final payload of Follina infection chain.
At this point, any payload or implant can be executed by criminals, including CobalStrike beacons, RAT or even ransomware.
Learn Vulnerability Management
Mitigation Steps
Although there are no patches from Microsoft, some workaround were published that will at least mitigate the risk associated with this vulnerability. You can access the official guide here.
Also, a simple script available on GitHub can be used to extract the Follina URLs associated with the external resources.
Sources:
Detect the Follina MSDT Vulnerability, Qualys
Follina vulnerability, Microsoft
Microsoft Office code execution vulnerability, Doublepulsar
Rapid Response: Microsoft Office RCE, Huntress
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- Follina — Microsoft Office code execution vulnerability
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
