System Compromised

Exploitation of Follina Zero-Day Vulnerability

Jun 9, 2022

  1. News
  2. Exploitation of Follina Zero-Day Vulnerability

Security researchers warned of exploitation noticed in the network, which Microsoft confirmed. So it looks like Windows and Office are affected by a zero-day vulnerability.

Windows has a security hole. It’s tracked as CVE-2022-30190. “nao-sec” reported a malicious Word file that anybody can use to execute arbitrary PowerShell code. It looks like Belarus is a source of this file because it was uploaded to VirusTotal from that country.

One of the first who analyzed the exploit was researcher Kevin Beaumont. He named it “Follina” because the malicious file references 0438, the area code for the Italian village of Follina.

Unfortunately, Microsoft has known about the vulnerability since April. “CrazymanArmy” of the Shadow Chaser Group, a research team focusing on APT hunting and analysis, notified Microsoft about this vulnerability.
Moreover, Microsoft initially classified it as “not a security-related issue”.

According to Microsoft, the “issue has been fixed,” but a patch does not appear to be available.

Take control of your online security

Even though initially this was described as a Microsoft Office zero-day vulnerability, Microsoft clarified that Follina affects the Microsoft Support Diagnostic Tool (MSDT). MSDT collects user/device information and sends it to Microsoft support.

Cybercriminals could use this vulnerability to run a code, install/change/delete data, or modify accounts.

According to Microsoft (advisory for CVE-2022-30190):

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,

In the past, most exploits used macros to execute some code. Currently, it’s even worse because this attack does not use macros. Therefore, regardless macros are enabled or not, the malicious code can be executed.

Everything gets even more interesting because Beaumont noticed an invitation to an interview with Sputnik Radio that is supposed to work as bait and target Russian users.

Researchers have confirmed that exploitation works against multiple versions of Microsoft Office:

  • Office Pro Plus,
  • Office 2013,
  • Office 2016,
  • Office 2019
  • Office 2021.

What is more, Microsoft informed that this vulnerability affects Windows Operating Systems:

  • Windows 7,
  • Windows 8.1,
  • Windows 10,
  • Windows 11,
  • Windows Server 2008,
  • Windows Server 2012,
  • Windows Server 2016,
  • Windows Server 2019,
  • Windows Server 2022.

Nonetheless, if you update your system regularly, you should be safe. New Defender updates should detect and block files associated with this vulnerability. Still, to be safe, it’s good to check Microsoft’s guidance regarding this remote code execution vulnerability, including workarounds – Microsoft guidance

Various cybersecurity firms have published an analysis of the exploit:

  • Huntress,
  • Malwarebytes,
  • Sophos,

It’s also possible to find online proof-of-concept (PoC) exploits.

Recent Posts

About the author

Magic

Hi! I’m Magic,

Software, hardware, and test engineer with experience of 25+ years in military systems.

During years of work on multiple projects, I noticed that most people struggle with technical questions, and sometimes finding correct answers is impossible on the congested internet.
Therefore, I started providing my experience online by researching products and services to help everybody who seeks my help.

Would you be interested in learning more about my VPN services and security findings? If yes, please continue reading, and I thank you if you find it helpful and wish to support me by following one of the links.
Software developer
Hardware engineer
Test engineer

Pin It on Pinterest

Share This