Vulnerability summary: Follina, CVE-2022-30190

blog-security-detection-720x420.png

On May 27, 2022, the nao_sec independent security research group shared a VirusTotal link to a weaponized Microsoft Office document revealing a previously unknown vulnerability in the Microsoft Support Diagnostic Tool (MSDT). This vulnerability is most likely to be exploited via phishing lure attachments and is triggered when a document is opened. Readers should expect this vulnerability to be adopted by threats of all kinds and be aware that it enables arbitrary code to be executed as outlined in Microsoft’s disclosure.

Summary

Readers may recall that template injection is an established technique enabling an attacker to remotely load malicious content when a document is opened by a relevant application. This vulnerability — dubbed “Follina” — works in conjunction with template injection, specifically when the remote template uses the ms-msdt URI handler. Importantly, it does not require macros to be enabled. As in other cases of template injection, readers should be aware that remote objects may be heavily obfuscated.

Security teams should monitor msdt.exe as a child process of WINWORD.exe and other applications, paying particular attention to command line arguments and network activity attributed to that child process. Security teams may also consider monitoring network activity from all MS Office applications and their descendants as one way of generically identifying initial exploitation attempts via weaponized documents.

Elastic is deploying a new malware signature to identify the use of ms-msdt URIs. This signature will be distributed via the Elastic Endpoint. The team has also issued an update to the “Suspicious MS Office Child Process” rule available via the detection-rules repository, adding “msdt.exe” to the list of suspicious descendants and “Outlook.exe” to the list of relevant parent processes. The following query pertains to Elastic Endgame:

Network where process_name == “msdt.exe” and 
descendant of  [process where process_name == “winword.exe” ]
| unique process_name, command_line

References

Several organizations have released information and resources related to this vulnerability (non-exhaustive):

  • Microsoft’s guidance, outlining one method of disabling the MSDT URL protocol
  • Huntress has provided their analysis of the vulnerability with additional information about ms-msdt abuse
  • Todyl has shared an Elastic query pertaining to process events
  • Kevin Beaumont has provided a write-up with historical and other details about potential implementations.
  • We're hiring

    Work for a global, distributed team where finding someone like you is just a Zoom meeting away. Flexible work with impact? Development opportunities from the start?