Follina: The No Patch Microsoft Office 0-Day Bug [CVE-2022-30190] Springs in Wild
Pavithra Shankar
Securin Team
Aug 04, 2022
An unpatched vulnerability tracked as CVE-2022-30190 (aka Follina) in the remote Word template feature enables adversaries to execute malicious code on targeted systems of Microsoft Office. TA413, a Chinese state-sponsored threat actor, is now found to be exploiting the Follina Zero-day vulnerability to use it against the International Tibetan community.
On May 27, 2022, researchers have publicly disclosed a zero-day vulnerability in Microsoft Office that could be exploited by sending malicious Word documents to a victim’s computer, allowing remote code execution.
This Follina zero-day was first reported to Microsoft on April 12, 2022, when Word documents impersonated Russia’s Sputnik news agency by offering recipients a radio interview and were discovered exploiting the bug in the wild. However, the researcher who first reported the zero-day stated that Microsoft first classified the hole as “not a security-related problem” and later notified the researcher that the problem has been resolved, although no patch appears to be available.
Recent Developments
Yet another malware delivered via Follina: New Woody Rat malware is delivered onto victim networks through phishing emails targeting the Follina vulnerability in Microsoft Office documents.
Follina now Opens Rozena: A newly observed phishing campaign exploits the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor (Rozena) on Windows systems. The Rozena backdoor malware can be used to inject a remote shell connection back to the attacker.
The Long Sought Patch: Microsoft finally released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates.
Ukraine CERT Warns: CERT Ukraine warns that Sandworm may be exploiting Follina since April 2022. The advisory also stated that Russian hackers launched new campaigns leveraging Follina, sending malignant email messages to over 500 media outlets in Ukraine including radio stations and newspapers. There are a few indicators of compromise provided by CERT-UA that can help defenders detect CrescentImp infections. It is not known what type of malware family CrescentImp belongs to or what its functionality is.
Government Agencies Targeted
A new series of attacks targeting government agencies in Europe and the United States using the Follina” vulnerability. This campaign posed to be a pay increase and used an RTF with the exploit payload downloaded from 45.76.53[.]253.
In an interesting twist, Microsoft is now being actively exploited in phishing attacks to infect recipients with Qbot malware, AsyncRAT, and other malware. Furthermore, 0patch has released micro patches to help admins secure their systems while the Follina zero-day awaits an official fix since it is actively exploited in phishing attacks targeting, among others, US and EU government agencies.
Considering the series of attacks, CISA warning, and availability of multiple exploit code, Microsoft should have classified it as critical rather than giving a high severity rating.
The Zero Click Vulnerability {CVE-2022-30190}
Researchers referred to this vulnerability simply as Follina until a tracking number was assigned to it. It has since been assigned CVE-2022-30190.
A Rich Text Format (.rtf) file can be used to launch this vulnerability using only the Preview Pane in Windows Explorer. This increases the severity of the threat by making it possible to exploit it with a zero-click trigger rather than a single-click trigger. Furthermore, the triggering payload can communicate with remote locations, which may include NTLM hashes that can be exploited for additional post-exploitation.
CSW Team delved deep into this Follina vulnerability and found –
- This vulnerability is accredited with a CVSS v3 score of 7.8 (High).
- The flaw exists in all currently supported Windows versions affecting 41 Microsoft products, including Windows 11 and Office 365, works without elevated privileges, and bypasses Windows Defender detection.
- CISA has issued a warning advising users and administrators to follow Microsoft’s guidelines and implement the appropriate remedies.
- There are multiple Proof of Concept available on GitHub.
- The exploitation of this zero-day bug opens the door to a new major attack vector and runs binaries or scripts without activating macros, bypasses Windows Defender, and operates without elevated privileges.
- All the popular scanners such as Nessus, Nexpose, and Qualys were able to detect the Follina Vulnerability.
Here are the scanner plugin IDs –
Nessus | Nexpose | Qualys |
161691 | msft-cve-2022-30190-disable-msdt-url-protocol | 91909 |
Chinese Threat Actors Behind Follina
Proofpoint claimed in a tweet that TA413 CN APT found [in-the-wild] exploiting the Follina zero-day leveraging URLs to distribute ZIP packages containing Word Documents that employ the method. Campaigns pose as the Central Tibetan Administration’s ‘Women Empowerment Desk and utilize the domain tibet-gov.web[.]app.
Previously threat actor TA413— also known as LuckyCat and Earth Berberoka, was spotted targeting Tibetan organizations with Sepulcher malware, Exile RAT, and FriarFox via malicious browser extensions and COVID-19-themed espionage efforts.
Additionally, they also observed DOCX documents with Chinese filenames being used to deploy malware that was detected as a password-stealing trojan via http://coolrat[.]xyz.
According to security researchers, attackers are now using exploits based on CVE-2022-30190 to execute malicious code via the MSDT protocol when targets open or preview ZIP-archived Word files.
Indicators of Compromise (IOCs)
Known Malicious C2 Domain:
- www.xmlformats[.]com
- 141[.]105.65.149
- hxxps[:]//www.xmlformats.com/office/word/2022/wordprocessingDrawing/RDF842l.html.
Mitigation
We recommend admins to follow the mitigations listed by Microsoft to block any attacks exploiting the Follina flaw.
CVE-2022-30190 attacks can be prevented by disabling the MSDT URL protocol, which malicious actors use to launch troubleshooters and execute code on vulnerable systems.
Here is how to disable MSDT URL Protocol:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg import filename”
It is also advised to deactivate the Preview pane in Windows Explorer since it is another attack vector that can be used when targets preview infected documents.
Furthermore, Microsoft informed that Defender Antivirus 1.367.719.0 and later versions have detections for possible exploits of this vulnerability.
Organizations are urged to take quick action against this vulnerability and mitigate them immediately.
Note: Our team is constantly working on this story and we will update the blog as and when we get new information. Stay tuned!
Warding off such threats demands continuous discovery and agile patching driven by priority and trends.
Share this post on:
