Overview of follina

Over the holiday weekend, a Windows/Office zero-day vulnerability was discovered and found to be exploited in the wild. CVE-2022-30190 is exploited via specially crafted Office documents, even with macros disabled. The vulnerability has been given then name “Follina” and allows attackers to run malicious code on targeted systems.  

A Japanese security vendor (Nao Sec) discovered the flaw and issued a warning via Twitter. Follina abuses the remote template feature in Microsoft Word to retrieve a HTML Template from a remote URL. The document that Nao Sec saw in the wild used Word’s external link to load the HTML and then used the “ms-msdt” scheme to execute PowerShell code. MSDT stands for Microsoft Support Diagnostic Tool, a tool that collects information and sends it to Microsoft Support. The  ‘Protected View’ feature in Microsoft Office does prevent exploitation, but if a document is changed to RTF format, it will run without even opening the document.  

The above technique is known as template injection and has been used by known threat actors such as Lazarus and APT 28. If an attacker is able to successfully exploit Follina, they will be able to install programs, change, view, delete data, and create new accounts in the context allowed by the user’s rights. Although there aren’t any patches for the vulnerability, Microsoft has released workarounds.  

The free version of Windows Defender does not detect Follina’s code execution behavior as malicious, but the original payload is detected by the enterprise Defender of Endpoint. Additionally, there is a functional proof of concept (POC) code available. Follina currently affects Microsoft 2013 and 2016, as well as the most recent version of Microsoft Office. Please see the below recommendations for mitigations regarding Follina.  

 
 
 
 

How Avertium is Protecting Our Customers:

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium’s offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.  
  • Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident. 
  • Implement XDR as a prevention method. Our XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions. 
  • Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement.  





Avertium's recommendations

Avertium and Microsoft recommend the following workarounds for Follina:  

  • Disable the MSDT URL Protocol to prevent troubleshooters from being launched as links.  
    • Run Command Prompt as Administrator. 
    • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“. 
    • Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”. 
  • Disable Troubleshooting Wizards completely via GPO.  
    • Run this command: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics /f /v EnableDiagnostics /d 0 , with an admin prompt to set the Enable Diagnostics key to 0, disabling Microsoft Troubleshooter.  
  • For those with MS Defender Anti-Virus they should turn on cloud-delivered protection and automatic sample submission. 
  • For those with Microsoft Defender for Endpoint enable the attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. 
    • The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network: 
      • Suspicious behavior by an Office application 
      • Suspicious behavior by Msdt.exe 
  •  



 

INDICATOR'S OF COMPROMISE (IOCS):

At this time, there are no known IoCs associated with Follina. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.   



 

 

Supporting documentation

New zero-day code execution vulnerability in MS Office - Follina - FourCore 

Microsoft Releases Workaround Guidance for MSDT "Follina" Vulnerability | CISA 

Zero-day bug exploited by attackers via macro-less Office documents (CVE-2022-30190) - Help Net Security 

Follina — a Microsoft Office code execution vulnerability | by Kevin Beaumont | May, 2022 | DoublePulsar 

Zero-Day 'Follina' Bug Lays Microsoft Office Open to Attack | Threatpost 

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability – Microsoft Security Response Center 

 

 

 

 

Related Reading: Flash Notice: Microsoft Azure OMIGOD Vulnerability 

 

Contact us for more information about Avertium’s managed security service capabilities. 
Chat With One of Our Experts



Vulnerability RCE Remote Code Execution (RCE) vulnerabilities Zero-Day Vulnerability Flash Notice Microsoft Vulnerability Follina Microsoft Office Blog