{"id":802567,"date":"2022-06-09T14:56:29","date_gmt":"2022-06-09T14:56:29","guid":{"rendered":"https:\/\/usesecurevpn.com\/?p=802567"},"modified":"2022-06-10T01:10:25","modified_gmt":"2022-06-10T01:10:25","slug":"exploitation-of-follina-zero-day-vulnerability","status":"publish","type":"post","link":"https:\/\/usesecurevpn.com\/es\/exploitation-of-follina-zero-day-vulnerability\/","title":{"rendered":"Exploitation of Follina Zero-Day Vulnerability"},"content":{"rendered":"\n[et_pb_section fb_built=\u00bb1″ _builder_version=\u00bb4.16.1″ _module_preset=\u00bbdefault\u00bb da_disable_devices=\u00bboff|off|off\u00bb global_colors_info=\u00bb{}\u00bb theme_builder_area=\u00bbpost_content\u00bb da_is_popup=\u00bboff\u00bb da_exit_intent=\u00bboff\u00bb da_has_close=\u00bbon\u00bb da_alt_close=\u00bboff\u00bb da_dark_close=\u00bboff\u00bb da_not_modal=\u00bbon\u00bb da_is_singular=\u00bboff\u00bb da_with_loader=\u00bboff\u00bb da_has_shadow=\u00bbon\u00bb][et_pb_row _builder_version=\u00bb4.16.1″ _module_preset=\u00bbdefault\u00bb global_colors_info=\u00bb{}\u00bb theme_builder_area=\u00bbpost_content\u00bb][et_pb_column type=\u00bb4_4″ _builder_version=\u00bb4.16.1″ _module_preset=\u00bbdefault\u00bb global_colors_info=\u00bb{}\u00bb theme_builder_area=\u00bbpost_content\u00bb][et_pb_text _builder_version=\u00bb4.17.4″ _module_preset=\u00bbdefault\u00bb text_text_color=\u00bb#3c73a3″ hover_enabled=\u00bb0″ global_colors_info=\u00bb{}\u00bb theme_builder_area=\u00bbpost_content\u00bb sticky_enabled=\u00bb0″]

Security researchers warned of exploitation noticed in the network, which Microsoft confirmed. So it looks like Windows and Office are affected by a zero-day vulnerability.<\/p>[\/et_pb_text][et_pb_divider _builder_version=\u00bb4.16.1″ _module_preset=\u00bbdefault\u00bb global_colors_info=\u00bb{}\u00bb theme_builder_area=\u00bbpost_content\u00bb][\/et_pb_divider][et_pb_text _builder_version=\u00bb4.17.4″ _module_preset=\u00bbdefault\u00bb hover_enabled=\u00bb0″ global_colors_info=\u00bb{}\u00bb theme_builder_area=\u00bbpost_content\u00bb sticky_enabled=\u00bb0″]

Windows has a security hole. It’s tracked as CVE-2022-30190. \u00abnao-sec\u00bb reported a malicious Word file that anybody can use to execute arbitrary PowerShell code. It looks like Belarus is a source of this file because it was uploaded to VirusTotal from that country.<\/p>\n

One of the first who analyzed the exploit was researcher Kevin Beaumont. He named it \u00abFollina\u00bb because the malicious file references 0438, the area code for the Italian village of Follina.<\/p>\n

Unfortunately, Microsoft has known about the vulnerability since April. \u00abCrazymanArmy\u00bb of the Shadow Chaser Group, a research team focusing on APT hunting and analysis, notified Microsoft about this vulnerability.
Moreover, Microsoft initially classified it as \u00abnot a security-related issue\u00bb.<\/p>\n

According to Microsoft, the \u00abissue has been fixed,\u00bb but a patch does not appear to be available.<\/strong><\/p>[\/et_pb_text][et_pb_image src=\u00bbhttps:\/\/usesecurevpn.com\/wp-content\/uploads\/2022\/06\/Take-control-of-your-online-security-horizontal.png\u00bb _builder_version=\u00bb4.17.4″ _module_preset=\u00bbdefault\u00bb theme_builder_area=\u00bbpost_content\u00bb alt=\u00bbTake control of your online security\u00bb title_text=\u00bbTake control of your online security\u00bb url=\u00bbhttps:\/\/www.xvuslink.com\/?a_fid=evpnicz&offer=3monthsfree&data1=Follina\u00bb url_new_window=\u00bbon\u00bb hover_enabled=\u00bb0″ sticky_enabled=\u00bb0″ align=\u00bbcenter\u00bb][\/et_pb_image][et_pb_text _builder_version=\u00bb4.17.4″ _module_preset=\u00bbdefault\u00bb hover_enabled=\u00bb0″ global_colors_info=\u00bb{}\u00bb theme_builder_area=\u00bbpost_content\u00bb sticky_enabled=\u00bb0″]

Even though initially this was described as a Microsoft Office zero-day vulnerability, Microsoft clarified that Follina affects the Microsoft Support Diagnostic Tool (MSDT). MSDT collects user\/device information and sends it to Microsoft support.<\/p>\n

Cybercriminals could use this vulnerability to run a code, install\/change\/delete data, or modify accounts.<\/p>\n

According to Microsoft (advisory for CVE-2022-30190):<\/p>\n

\n

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,<\/p>\n<\/blockquote>\n

In the past, most exploits used macros to execute some code. Currently, it’s even worse because this attack does not use macros<\/strong>. Therefore, regardless macros are enabled or not, the malicious code can be executed.<\/p>\n

Everything gets even more interesting because Beaumont noticed an invitation to an interview with Sputnik Radio<\/strong> that is supposed to work as bait and target Russian users<\/strong>.<\/p>\n

Researchers have confirmed that exploitation works against multiple versions of Microsoft Office:<\/p>\n