Is there anything you can do about Follina?

Microsoft Office Zero-Day Vulnerability Abused To Execute PowerShell

On May 27, 2022, a zero-day remote code execution bug in Microsoft Office was discovered by Nao_Sec (1) and dubbed "Follina" by researcher Kevin Beaumont. This vulnerability enables an unauthenticated person to gain persistent access and take control over a target system remotely by exploiting downloaded Microsoft Office files. Hackers can use it to execute malicious PowerShell commands through Microsoft Diagnostic Tool (MSDT) even if Office macros are disabled.

"The document uses the Word remote template feature to retrieve an HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell," researcher Kevin Beaumont explained. "That should not be possible." (2)

On May 30, 2022, Microsoft issued CVE-2022-30190. Microsoft Office versions 2013, 2016, 2019, and 2021, as well as Professional Plus editions, are impacted. However, there is no patch available as of June 1st, 2022.

In this blog post, we analyze the malware sample and show you how to defend yourselves from the attacks.

Overview of the Attack Abusing CVE-2022-30190

By analyzing the sample, we found that the attack approach is not new. The threat author used a similar attack vector as the campaign exploiting CVE-2021-40444 in September 2021. Both attacks used an external link in a relationship file leading to a malevolent HTML file.

Using phishing or social engineering, the cybercriminals delivered a weaponized Microsoft Word file (.docx) to the target victims and tricked them into opening it. The file contains an external URL referencing an HTML, which has an unusual JavaScript code.

External Link Threat

That JavaScript references a URL with the ms-msdt: scheme that can execute a remote code. 

JavaScript Executing Remote PowerShell Code
This is a recreated image from a POC sourced from https://twitter.com/0xBacco/status/1531599168363548672 to show an example of the JavaScript

How to Prevent the Attack

On 30 May 2022, Microsoft published guidance on workarounds to support users mitigating the newly exposed vulnerability (3). Currently, disabling the MSDT URL protocol appears to be the easiest option. Nevertheless, it is not yet clear what the impact of disabling MSDT URL protocol could be.

However, if you are using OPSWAT MetaDefender with our industry-leading Deep CDR (Content Disarm and Reconstruction) technology, you don't have to worry about all of these things. Your network and users are safe from the attacks since all the active content concealed in the harmful files is disabled by Deep CDR before reaching your users.

Hereunder, we demonstrate how Deep CDR handles the malicious file and generates a safe-to-consume file for your users whether it was uploaded to your web application or received as an email attachment.

Neutralize the toxic Microsoft Word file

Once the .docx file with a malicious URL enters your organization's network via emails, file uploads, etc., MetaDefender scans it with multiple anti-malware engines using OPSWAT Metascan and examines the file for potential threats, such as OLE objects, hyperlinks, scripts, etc. Next, all the embedded threats are removed or recursively sanitized depending on Deep CDR configurations. As shown in our file processing result, an OLE object was removed and the XML content was sanitized.

After the process, the .docx document no longer contains the malicious HTML link as it was replaced with a "blank" link. As a result, even if your internal users open the file, no malware is loaded and executed.

Safe Target Blank

Scanning the cleaned file released after the process with both OPSWAT Metascan and OPSWAT Sandbox, we can see that the document is risk-free.

Sanitized File by MetaDefender

Deactivate the HTML file’s JavaScript

In case you configure Deep CDR engine to accept URLs in files, you are still completely protected. Deep CDR removes the malicious JavaScript in the loaded HTML file because it's considered as a potential threat. Without the JavaScript, the PowerShell code cannot be downloaded and executed. Your users can open and use the threat-free reconstructed file with full usability.

POC HTML

Don’t Rely on Detection

This new exploitation method is hard to detect because the malware is loaded from a remote template, so the .docx file can bypass the network defense as it does not contain malicious code (2). Likewise, cybercriminals continue to actively exploit vulnerabilities and abuse various attack vectors leveraging Microsoft Office programs and features like macros, external links, OLE objects, and so on to deliver or trigger malware. For a true zero trust implementation, you cannot rely on a detect-to-protect security model to prevent zero-day attacks. Organizations need a comprehensive threat prevention solution to protect them from both known and unknown malware.

OPSWAT Deep CDR is an innovative and effective solution to defeat advanced evasive malware and zero-day attacks. It stops the attacks at the earliest stage by disarming all suspect executable components, and at the same time, providing 100% threat-free safe to consume files.

Learn more about OPSWAT’s Deep CDR technology. To see how we can help provide comprehensive protection to your organization against weaponized documents, talk to an OPSWAT specialist now.

Reference

[1] https://twitter.com/nao_sec/status/1530196847679401984

[2] https://medium.com/m/global-identity?redirectUrl=https%3A%2F%2Fdoublepulsar.com%2Ffollina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

[3] https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.