Understanding the Follina Vulnerability

On May 27, 2022, the public became aware of a remote code execution (RCE) vulnerability, known as Follina. Soon after its disclosure, experts observed several instances of exploitation.

Follina (CVE-2022-30190) is a vulnerability identified in the Microsoft Support Diagnostic Tool (MSDT), enabling RCE on all susceptible systems. The exploitation occurs via the ms-msdt protocol handler scheme.

To exploit Follina successfully, threat actors don’t require the use of macros to entice victims. Instead, they deploy a specially crafted Word Document.

This document, through Word’s template feature, downloads and loads a malicious HTML file. Consequently, threat actors gain the ability to execute PowerShell code within targeted Windows systems.

Microsoft has issued multiple workarounds and advisories to mitigate the vulnerability’s risk.

Functioning of the Follina Vulnerability

Upon the dissemination of this vulnerability’s details online, threat actors eagerly commenced the installation of their payloads.

For a successful Follina exploit, threat actors employ HTML documents executed under WinWord. The execution initiates the msdt.exe process as a child process.

Registry protocol handler entry enables these processes. Subsequently, Sdiagnhost.exe gets activated, the Scripted Diagnostics Native Host that facilitates the creation of the final payload—in Follina’s case, PowerShell.

AsyncRAT and Browser Infostealer via Follina Vulnerability

It has been observed that threat actors deployed a diverse range of payloads in successful exploitation instances. One instance involved deploying the remote access Trojan AsyncRAT, complete with a valid digital signature.

Upon execution, this trojan verifies the presence of antivirus software. However, its primary function is to gather various system information, such as operating system details, executed paths, usernames, hardware identification, and transmit it to a command-and-control (C&C) server.

Once its task is complete, the malware awaits further commands from the C&C server and executes them on the compromised system.

Another payload instance was a browser infostealer, targeting various browser data such as saved login credentials and cookies from browsers like Edge, Chrome, and Firefox.

Patching the Follina Vulnerability

While most exploits of the vulnerability occur through malicious documents, researchers have discovered alternative methods enabling successful Follina exploitation, including manipulation of HTML content in network traffic.

“While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” said Tom Hegel, senior threat researcher at security firm SentinelOne. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.”

The Follina flaw was initially noticed in August 2020 by an undergraduate researcher and reported to Microsoft on April 21. The company has proposed mitigations, including using Microsoft Defender Antivirus for monitoring and blocking exploitation and disabling a specific protocol within the Support Diagnostic Tool.

Microsoft acknowledged that the vulnerability has been exploited and has already patched the issue. However, the company is yet to classify the vulnerability as a ‘zero-day’ or previously unknown vulnerability.

APT actors utilizing the vulnerability

More alarmingly, the Follina vulnerability has been observed as part of longer infection chains. For example, security firm Proofpoint observed Chinese APT actor TA413 sending malicious URLs disguised as emails from the Central Tibetan Administration.

The vulnerability has been employed at different stages in threat actor infection chains, depending on the tactics and toolkits used.

It has been used against numerous targets in Nepal, Belarus, the Philippines, India, and Russia. Proofpoint’s vice president of threat research, Sherrod DeGrippo, identified multiple instances of vulnerability exploitation within phishing campaigns.

The vulnerability affects all supported Windows versions, Office ProPlus, Office 2021, Office 2013 through 2019, and Microsoft Office 365, receiving a 7.8 CVSS score.

Government workers impacted by the vulnerability

In addition to targeting various entities across different countries, specialists report attacks on government workers leveraging this vulnerability.

State-sponsored hackers attempted to exploit the Follina vulnerability in Microsoft Office against U.S. and E.U government targets through a phishing campaign.

So far researchers have not identified which government was behind an attack.

Malicious emails of the phishing campaign contained alluring texts promising in fake recruitment pitches 20 percent boost in salary. To learn more recipients were urged to open an accompanying email attachment.

Sherrod DeGrippo, vice president of threat research at Proofpoint in Twitter tweeted about the similar incident where about 10 company’s customers received over 1,000 messages with the same text.

The post Attackers Exploit MSDT Follina Bug to Drop RAT appeared first on Gridinsoft Blog.

The RCE vulnerability identified as CVE-2022-21840 can be exploited on target devices with even the lowest privileges and in simple attacks that require user interaction. Basically, the user has to open a special Office document received from the attacker via mail or messenger. Fortunately, it is reported that the Outlook Preview Pane cannot be used as an attack vector.

Alas, renowned cybersecurity expert and CERT/CC analyst Will Dormann adds that the bug can be exploited through the Windows Explorer preview pane. That is, exploitation of the problem is still possible without direct user interaction and opening a malicious Office file. Instead, it is enough to select such a file in the explorer window with the preview pane turned on.

The salt of this situation is that Microsoft has already prepared patches for Microsoft 365 for Enterprise applications and Windows versions of Microsoft Office, but is still working on fixes that eliminate the vulnerability in macOS. Thus, Mac users using Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac will have to wait – there are no fixes for them yet, and the exact release dates have not been reported.

Bleeping Computer notes that in November 2021, Microsoft was also unable to promptly provide Apple users with patches for the actively exploited 0-day vulnerability in Excel. That bug allowed unauthenticated attackers to bypass security mechanisms and launch an attack that did not require user interaction.

Let me remind you that recently we also wrote that Vulnerability in macOS Leads to Data Leakage, as well as that Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities.

The post Critical vulnerability in Office fixed, but macOS update is delayed appeared first on Gridinsoft Blog.

This time, bugs were fixed in products such as Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, Windows kernel, Windows SMB, and so on.

44 vulnerabilities were associated with remote code execution, 32 with privilege escalation, 14 with information disclosure, 12 provoked denial of service, 8 allowed bypassing various security functions, and another 7 were associated with spoofing.

In addition, this month the company fixed nine zero-day vulnerabilities at once, four of which have already been used for attacks. The following 0-day issues have been fixed, but hackers haven’t used them yet:

• CVE-2021-34492: Certificate forgery vulnerability in Windows;
• CVE-2021-34523: Privilege escalation vulnerability in Microsoft Exchange Server;
• CVE-2021-34473: Remote Code Execution Vulnerability in Microsoft Exchange Server;
• CVE-2021-33779: Windows ADFS Bypass Vulnerability;
• CVE-2021-33781: Active Directory bypass vulnerability.

As for the bugs that hackers have already adopted, one of them is the PrintNightmare problem (CVE-2021-34527), which I described in detail earlier.

By the way, I also reported that Microsoft declares that Printnightmare patch works correctly.

And three other vulnerabilities under attack that were not previously known are:

• CVE-2021-33771: Windows Kernel Privilege Elevation Vulnerability;
• CVE-2021-34448: scripting engine vulnerability leading to information corruption in memory;
• CVE-2021-31979: A privilege escalation vulnerability in the Windows kernel.

Along with Microsoft, other companies have released updates to their products this week.

Patches released:

• Adobe;
• Apache Tomcat;
• Cisco;
• developers of SUSE, Oracle Linux and Red Hat;
• SAP;
• Schneider Electric;
• Siemens;
• VMware.

Let me remind you that a month ago Microsoft specialists also tried Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue.

The post Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities appeared first on Gridinsoft Blog.

Vulnerabilities that have been patched were found in Microsoft Office, .NET Core and Visual Studio, Edge browser, Windows Cryptographic Services, SharePoint, Outlook and Excel.

Six zero-day vulnerabilities that were already under attack were also addressed, with one of these problems clearly using a commercial exploit. The hackers were reported to have exploited the following bugs:

• CVE-2021-33742: Windows MSHTML Platform Remote Code Execution Vulnerability;
• CVE-2021-31955: Windows Kernel Information Disclosure Vulnerability;
• CVE-2021-31956: Windows NTFS Privilege Elevation Vulnerability;
• CVE-2021-31962: Kerberos AppContainer Bypass Vulnerability;
• CVE-2021-31199: Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability;
• CVE-2021-31201: Privilege escalation vulnerability in Microsoft Enhanced Cryptographic Provider.

Details of the vulnerabilities have not yet been disclosed to give users and administrators more time to install patches (before attackers could understand how these bugs can be exploited).

The fact that four of the six issues are privilege elevation vulnerabilities suggests that attackers may have exploited them as part of the infection chain to gain elevated permissions on target systems (to later execute malicious code or steal sensitive information).

However, a little more is known about the CVE-2021-33742 bug (an RCE vulnerability in the MSHTML component, which is part of the Internet Explorer browser). For example, Google analyst Shane Huntley writes on Twitter that this problem is not only used for attacks, but an exploit for it seems to have been developed by a professional commercial vulnerability broker. According to the expert, the exploit was used by government hackers to attack targets in Eastern Europe and in the Middle East.

Microsoft also writes that the patches for CVE-2021-31201 and CVE-2021-31199 are related to the RCE issue CVE-2021-28550, which was fixed by Adobe developers last month.

Traditionally, we note that “update Tuesday” affects not only Microsoft solutions. Other manufacturers have also released patches for their products this week.

Adobe: Announced updates for ten products, fixing 39 different bugs. First place went to After Effects with eight critical vulnerabilities that can be exploited to execute code (all rated 7.8 on the CVSS scale). Five critical issues have been fixed in Acrobat and Reader, all of which allow arbitrary code execution, and two critical flaws have been fixed in Photoshop.

Intel: Issued 29 security bulletins covering 79 different vulnerabilities. More than half of these problems were identified within the company, and another 40% were the result of the bug bounty program.

SAP: The company has submitted 17 security bulletins. Almost all of the bugs fixed were almost harmless, apart from a couple of major problems allowing remote code execution.

Android: Google has fixed over 50 vulnerabilities in its mobile OS, including several critical ones. The most serious of these, CVE-2021-0507, can be used for remote code execution. The bug affects Android 8.1, 9, 10 and 11, as well as another critical flaw, CVE-2021-0516, which can be used for privilege escalation.

Let me remind you that I talked about the fact that Hackers Bypass Firewalls Using Windows Feature.

The post Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue appeared first on Gridinsoft Blog.