The charming cloister we can admire
on the cover of this post
is found in the Abbazia Cistercense Santa Maria di Follina.
Follina
is a municipality in the Province of Treviso in northern Italy.
But it is also the name
recently bestowed to a remote code execution vulnerability
in the Microsoft Windows Diagnostic Tool (MSDT).
Cybercriminals are exploiting this zero-day in the wild,
and Microsoft has not yet officially released a patch remediating it.
What exactly is Follina,
and what can we do about it in the meantime to stay safe?

What is Follina?

On May 27
this year,
the Japanese cybersecurity research team nao_sec
detected a strange Word document in VirusTotal
uploaded two days before from an IP address
in Belarus.
This maldoc contained malicious code
to leverage “the Word remote template feature
to retrieve [an] HTML file from a remote [web server],
which in turn uses the ms-msdt MSProtocol URI scheme
to load some code and execute PowerShell.”
These are the words of cybersecurity expert Kevin Beaumont,
whose attention was drawn to the finding
and who decided to investigate it.
In fact,
it was he who,
recognizing that it was a zero-day vulnerability in the MSDT,
named it Follina.
Why?
Because one of the names of the referenced maldoc was “05-2022-0438.”
And 0438
is the area code for Follina in Italy.
Plain and simple.

Let’s drill down on the issue a bit further.
MSDT,
the affected tool,
is an application
that automatically collects information on systems
and sends it
to Microsoft Support for analysis
and determination of solutions
when something appears to be failing in Windows.
Microsoft Word is among the applications
that can call up MSDT through the ms-msdt:/ protocol URI scheme
to launch
its troubleshooter packs.
URI (Uniform Resource Identifier)
is a unique sequence of characters
to identify a resource in web technologies.
A URL (Uniform Resource Locator),
for instance,
is a URI that provides the location of a resource for its retrieval.
URI schemes
can be manifold.
Among them,
we have http://, https://, mailto: and file://.
The one that matters to us on this occasion is ms-msdt:/.

For the exploitation of Follina,
the victim receives the Word document created by the attacker
in an email based on a social engineering ploy
to persuade them to open it.
They do so.
And though it may be a blank file,
it “contains an external
reference pointing to a malicious URL.”
(It’s a problem
that Office allows unfiltered loading from Word HTML templates
and Outlook links.)
From there,
a payload with the ms-msdt:/ protocol is obtained,
and Microsoft Office automatically processes it but,
in the case reported by Beaumont,
leads to the execution of PowerShell.
The attacker can then execute arbitrary code via PowerShell.
(Here’s
a brief illustrative video
where a researcher shows a test of a “maldoc” that,
when opened,
leads to the execution of the Windows calculator.)

Beaumont found
that this could even happen
when macros
are disabled.
It was enough for the attacker
to convert the document to Rich Text Format (RTF).
Thus,
even with the Office Protected View enabled
(which does not allow macros to be run on docs from the Internet),
code execution
occurred with the victim only previewing the document,
i.e., without opening it.

According to Journalist Jonathan Creig,
this security issue was actually discovered almost two years ago
in a bachelor’s thesis in Germany.
Researcher @BaoshengbinCumt,
meanwhile,
said that exploitation
tests began in October 2021
and the first attack
took place in March this year.
However,
this vulnerability had to wait until April
to be reported to Microsoft.
It seems it was @CrazymanArmy,
leader of the Shadow Chaser Group,
who did it more than a month before nao_sec’s discovery,
delivering to Microsoft a maldoc
that was being sent to Russian users.
It was disturbing then that
the company responded
to deny that it was a security issue.
Apparently,
they failed to replicate the exploit,
arguing that a passcode is required when starting msdt.exe.
Nevertheless,
when the predicament resurfaced at the end of May,
Microsoft officially spoke out.
They assigned Follina the identifier CVE-2022-30190
and published a guidance blog post
in which they initially said the following:

An attacker who successfully exploits this vulnerability
can run arbitrary code with the privileges of the calling application.
The attacker can then install programs,
view, change, or delete data,
or create new accounts in the context allowed by the user’s rights.

Therefore,
in the case mentioned above,
the privileges of the victim
who received the Word file
were the same as those available to the attacker remotely.
Beaumont
and other security researchers proved Follina in Office 2013,
2016, 2019, 2021, ProPlus and 365.
There’s no question we are dealing with a very dangerous vulnerability,
with a high severity level
(apparently
a CVSS score of 7.8)
and broad implications
due to the massive use of Microsoft Office worldwide.

Other attacks associated with Follina exploitation

Once a vulnerability is no longer a closed book,
the number of attacks begins to grow dramatically.
On May 31,
there was already news of several state-backed threat actors exploiting it.
The security firm Proofpoint,
for example,
reported attacks by a China-linked hacking group
against the Tibetan community.
These cybercriminals used URLs to deliver ZIP archives containing maldocs
in which they posed as the Women’s Empowerment Desk
of the Central Tibetan Administration.
A few days later,
Proofpoint said
it had blocked a phishing campaign
targeting some of its customers:
government entities in Europe and the U.S.
The lure document to exploit Follina intended to deceive the targets
by talking about salary increases.

On June 7,
Proofpoint revealed
having seen the threat actor
they refer to as TA570
exploiting Follina to deliver the QBot (aka Qakbot) trojan.
Attackers send messages with HTML attachments that,
when opened,
download a ZIP file containing an IMG file.
This one,
in turn,
includes Word, DLL and LNK files.
The LNK executes the DLL to start Qbot.
The Word loads and executes from an external server an HTML file
containing PowerShell to abuse Follina
and thus download and run Qbot.
This trojan
has been widely used to steal banking information
and is tied to several ransomware variants
(e.g., ProLock, Egregor,
Conti, and Black Basta).
The situation with Follina worsens with ransomware groups
now wanting to cash in on it.

What could you do about it?

So far,
Microsoft has not released a patch for Follina.
It is expected to arrive soon.
What has been recommended up until now are merely temporary workarounds.
In their guidance,
as a preventive measure,
Microsoft suggests disabling the MSDT URL protocol.
Their instructions are as follows:

1. Run Command Prompt as Administrator.

2. To back up the registry key,
   execute the command reg export HKEY_CLASSES_ROOT\ms-msdtfilename.

3. Execute the command reg delete HKEY_CLASSES_ROOT\ms-msdt /f.

That second step is essential
so that you can restore the registry key
with the reg importfilename command
as soon as this workaround is no longer needed.
Of course,
when the patch is released,
install it as soon as possible.
Microsoft also recommended its customers with Microsoft Defender Antivirus
turn on “cloud-delivered protection and automatic sample submission”
to identify and stop threats.
In addition,
you should be careful with emails sent by unknown senders.
Be very wary of those with Microsoft Office files attached.
If you open them or even see them in preview mode,
you may find yourself in dire straits.

It’s worth mentioning that
free “micropatches” for Follina
were published unofficially by the 0patch team
for different versions of Windows and Windows Server.
Afterward,
they released micropatches
for another vulnerability dubbed DogWalk.
But why on earth is this relevant?
DogWalk is another zero-day in MSDT.
A security issue that,
like Follina,
was discovered in 2020,
was not seen by Microsoft then as a bug
and is now also being dusted off.

Update (June 14):
Microsoft has officially released the patch for Follina.
They say the following:

The update for this vulnerability
is in the June 2022 cumulative Windows Updates.
Microsoft strongly recommends that
customers install the updates
to be fully protected from the vulnerability.
Customers whose systems are configured to receive automatic updates
do not need to take any further action.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/zero-day-vulnerability-follina/