Flash Report: Follina Vulnerability

ZeroFox Threat Intelligence has observed an identified vulnerability, Follina, which affects all versions of Windows. As of June 2, 2022, ZeroFox has released the following.

Key Findings

• The identified vulnerability, dubbed Follina, affects all versions of Windows still receiving security updates and has been designated as CVE-2022-30190.
• Chinese advanced persistent threat (APT) group TA413 has already been observed exploiting the Follina vulnerability.
• Disabling macros in Word does not prevent the exploit from being triggered; the payload can be initiated by opening a Word Document.
• CVE-2022-30190 can be triggered by viewing a weaponized Word document saved in Rich Text Document form in the Explorer preview pane.
• Workarounds are available.

Analyst Commentary

On May 27, 2022, security researcher “nao_sec” shared a malicious Word document that had been discovered taking advantage of Windows’ Microsoft Support Diagnostic Tool (MSDT). The document abused Microsoft Word’s ability to load remote document templates to retrieve a HTML file from a web server. The retrieved HTML document contained embedded JavaScript to trigger ms-msdt protocol via a window.location.href reference to execute a PowerShell script.¹ PowerShell is a cross-platform command line interpreter and scripting language created by Microsoft that is installed by default in Windows. This vulnerability, dubbed “Follina,” has been used in the wild. For example, a known Chinese APT, TA413, has been observed exploiting Follina while impersonating the “Women Empowerments Desk” of the Central Tibetan Administration.²

Microsoft has been aware of this vulnerability since April 2022, when another security researcher using the handle “crazyman” submitted a report about the exploit. Follina has been designated as CVE-2022-30190.

Recommendations

Microsoft shared instructions for an official workaround through the Microsoft Security Response Center (MSRC) website on May 30, 2022.³ To disable the MSDT protocol handler, Microsoft suggests the following steps:

To restore this functionality, administrators can once again open Command Prompt as an administrator and then run “reg import filename” where “filename” is the name of the backup file created earlier.

In addition to Microsoft’s instructions, the following recommendations should also be considered.

• Ensure antivirus and intrusion detection software is up to date with all patches and rule sets.
• Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential stuffing attacks.
• Maintain regularly scheduled backup routines, including off-site storage and integrity checks.
• Avoid opening unsolicited attachments and never click suspicious links.
• Log and monitor all administrative actions as much as possible. Alert on any suspicious activity.
• Review network logs for potential signs of compromise and data egress.

_{^{1 https://github.com/chvancooten/follina.py/blob/main/follina.py
2 https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
3 https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/}}