A new vulnerability related to the Office suite has recently been discovered. This vulnerability is already exploited in the wild, as malicious files exploiting the vulnerability have been discovered by nao_sec researchers on viral parts centralization platforms. This vulnerability, referenced as CVE-2022-30190, has a CVSS score of 7.8/10. An update on the threat, with the Stormshield Customer Security Lab team.

Update 02/06: A new sample using a different exploit strategy has been discovered by Stormshield teams, Stormshield Endpoint Security Evolution protections have been modified accordingly.

 

Context of the Follina attack

Cybersecurity research firm nao_sec announced on May 27 via Twitter that it had discovered a virus strain using a new attack vector found in the wild. This new vector uses the Windows diagnostic tool to execute malicious loads.

The vulnerability is dangerous because of its ease of exploitation and execution: all that is needed is an Office or RTF file pointing to a server distributing the viral load. Microsoft has acknowledged the vulnerability in a communication.

 

Follina vulnerability technical details

Exploitation technics

The exploitation of this vulnerability allows to bypass the security tools and preventive measures of the Office suite in three points:

  1. The Office protection on publishing documents from the Internet:

Figure 1: Default blocking of Internet file manipulation

  1. Office protection on documents containing macros:

Figure 2: Default blocking of macros

  1. Possible AV / Endpoint protection by maliciously exploiting supposedly benign Microsoft proprietary resources

 

For now, Office documents are only one of the potential entry points. Indeed, it is possible to open a malicious document through the Windows diagnostic engine, after loading an HTML file via web scripting commands such as wget or curl.

And if we come back to the case of the malicious document (which affects a wider audience), the operation is particularly devious since the viral load contained in the file can be executed either when the file is opened, or simply when it is previewed by the Windows Explorer:

Figure 3: The proof-of-concept launches PowerShell commands

The attack pattern would be as follows:

Figure 4: An exploitation graph of the CVE-2022-30190

 

The attack vector exploits two key components:

The first one: an Office suite file, which points to a controlled HTML resource on an attacker's server. Since Microsoft Office documents are built as objects with a reference to a malicious server (here, the address is localhost for our POC), the resource will be mechanically loaded by Office and trigger the vulnerability.

Figure 5: The reference file in the Office document

This type of file is not malicious in itself, and is a required element of any Office document that embeds content hosted on the web.

The second one: an HTML file built to trigger the vulnerability.

Figure 6: The remote resource retrieved from the attacker's server

The result is the creation of processes on the workstation starting the desired load, in our case PowerShell. The execution chain is in two steps: the first part is done by the Office suite before being processed by the DCOM service.

Figure 7: The process related to the execution of the load

Targeted systems

This vulnerability affects systems 7, 10 and 11, Server 2008 to 2022 both 32-bit and 64-bit, regardless of the system language.

Other information

Exploitation kit

To date, there are POCs that allow industrializing the creation of Office documents by specifying a remote server that returns a malicious payload to execute. It is therefore impossible to specify the threat by hash given the large number of documents that could be generated.

Administrative rights

This type of malware does not require administrator rights in order to drop and launch its payload. As such, attackers will use this vulnerability to establish initial access before attempting other actions.

Execution time

The malware performs its malicious actions very shortly after starting.

Miscellaneous

  • A Windows update dedicated to all affected OS is available since May 30.
  • The recent nature of the vulnerability means that the patch proposed by Microsoft does not fully cover the problem and new exploitation techniques are emerging.
  • It is possible to disassociate the ms-msdt protocol from the Windows diagnostic engine to mitigate the attack surface, but this is only a temporary solution that could have functional impacts on the computers.

 

Stormshield products protections

Stormshield Network Security

A specific IPS signature allowing to block the Javascript script contained in the "Get" phase and allowing to trigger the exploitation. It has been published under the reference :

  • http :javascript :stack .518 - Remote code execution attempt via the MSDT Follina vulnerability (CVE-2022-30190)

Confidence index of the protection offered by Stormshield

Confidence index of no false positives 

Stormshield Endpoint Security Evolution

A specific set of rules has been made available to users to counter this malware.

It is intended to block any program that starts the Windows diagnostic tool with the typical parameters of the vulnerability exploitation.

Figure 8: The blocking rule

Confidence index of the protection offered by Stormshield

Confidence index of no false positives

Stormshield Endpoint Security 7.2

For SES 7.2, it is recommended to block the execution of msdt.exe by processes from the Office suite, PowerShell and WordPad as a first stop to the attack.

A policy for SES 7.2 containing sample rules for blocking the vulnerability is provided on the MyStormshield space.

Figure 9 : SES 7.2 protection policy

Confidence index of the protection offered by Stormshield

Confidence index of no false positives

IOC / Other Infos

Sha256:

  • 248296cf75065c7db51a793816d388ad589127c40fddef276e622a160727ca29
  • 8b0ba2092bc7d030733bbc7d990d39f38352a4c50290208afe4e1364872807cfC

BreachFighter portal:

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Our Threat Intelligence team has two key missions: to study cyber threats in order to understand them, and to continuously improve the protection offered by Stormshield products. The goal in each case is to contribute to the cybersecurity community's effort to address cyber threats.
About the author
Elliot This Cybersecurity Engineer, Stormshield

Raised on Gameboy and horror movies, Elliot makes his first fork-bomb in college. Tired of having to disable his anti-virus to inject unknown dlls into Counter Strike, he unknowingly learns about computer security. After an unorthodox path of science, rootMe challenges and contract missions, he chooses the Blue team. With a Stormshield cap on his head, Elliot started working on the Endpoint branch as a cybersecurity engineer. Positioned on the security of the Breach Fighter tool, he contributes to the security policy of the Stormshield Endpoint Security Evolution solution. And as this is not enough, he is also a member of the Threat Intelligence team.