Microsoft Office Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/microsoft-office/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 05 Jan 2024 04:34:05 +0000 en-US hourly 1 https://wordpress.org/?v=73206 200474804 Attackers Exploit MSDT Follina Bug to Drop RAT https://gridinsoft.com/blogs/threat-actors-exploit-msdt-follina-bug-to-drop-rat-and-infostealer/ https://gridinsoft.com/blogs/threat-actors-exploit-msdt-follina-bug-to-drop-rat-and-infostealer/#respond Thu, 09 Jun 2022 10:09:21 +0000 https://gridinsoft.com/blogs/?p=8385 Security specialists caution users about the exploitation of the recently disclosed Follina Bug found in all supported versions of Windows. Threat actors have actively utilized this vulnerability to install payloads such as the AsyncRAT trojan and infostealer. Understanding the Follina Vulnerability On May 27, 2022, the public became aware of a remote code execution (RCE)… Continue reading Attackers Exploit MSDT Follina Bug to Drop RAT

The post Attackers Exploit MSDT Follina Bug to Drop RAT appeared first on Gridinsoft Blog.

]]>
Security specialists caution users about the exploitation of the recently disclosed Follina Bug found in all supported versions of Windows. Threat actors have actively utilized this vulnerability to install payloads such as the AsyncRAT trojan and infostealer.

Understanding the Follina Vulnerability

On May 27, 2022, the public became aware of a remote code execution (RCE) vulnerability, known as Follina. Soon after its disclosure, experts observed several instances of exploitation.

Follina (CVE-2022-30190) is a vulnerability identified in the Microsoft Support Diagnostic Tool (MSDT), enabling RCE on all susceptible systems. The exploitation occurs via the ms-msdt protocol handler scheme.

To exploit Follina successfully, threat actors don’t require the use of macros to entice victims. Instead, they deploy a specially crafted Word Document.

This document, through Word’s template feature, downloads and loads a malicious HTML file. Consequently, threat actors gain the ability to execute PowerShell code within targeted Windows systems.

Microsoft has issued multiple workarounds and advisories to mitigate the vulnerability’s risk.

Functioning of the Follina Vulnerability

Upon the dissemination of this vulnerability’s details online, threat actors eagerly commenced the installation of their payloads.

For a successful Follina exploit, threat actors employ HTML documents executed under WinWord. The execution initiates the msdt.exe process as a child process.

Threat Actors Exploit MSDT Follina Bug To Drop RAT And Infostealer

Registry protocol handler entry enables these processes. Subsequently, Sdiagnhost.exe gets activated, the Scripted Diagnostics Native Host that facilitates the creation of the final payload—in Follina’s case, PowerShell.

AsyncRAT and Browser Infostealer via Follina Vulnerability

It has been observed that threat actors deployed a diverse range of payloads in successful exploitation instances. One instance involved deploying the remote access Trojan AsyncRAT, complete with a valid digital signature.

Exploit MSDT

Upon execution, this trojan verifies the presence of antivirus software. However, its primary function is to gather various system information, such as operating system details, executed paths, usernames, hardware identification, and transmit it to a command-and-control (C&C) server.

Drop RAT And Infostealer

Once its task is complete, the malware awaits further commands from the C&C server and executes them on the compromised system.

Another payload instance was a browser infostealer, targeting various browser data such as saved login credentials and cookies from browsers like Edge, Chrome, and Firefox.

Patching the Follina Vulnerability

While most exploits of the vulnerability occur through malicious documents, researchers have discovered alternative methods enabling successful Follina exploitation, including manipulation of HTML content in network traffic.

“While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” said Tom Hegel, senior threat researcher at security firm SentinelOne. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.”

The Follina flaw was initially noticed in August 2020 by an undergraduate researcher and reported to Microsoft on April 21. The company has proposed mitigations, including using Microsoft Defender Antivirus for monitoring and blocking exploitation and disabling a specific protocol within the Support Diagnostic Tool.

Threat Actors Exploit

Microsoft acknowledged that the vulnerability has been exploited and has already patched the issue. However, the company is yet to classify the vulnerability as a ‘zero-day’ or previously unknown vulnerability.

APT actors utilizing the vulnerability

More alarmingly, the Follina vulnerability has been observed as part of longer infection chains. For example, security firm Proofpoint observed Chinese APT actor TA413 sending malicious URLs disguised as emails from the Central Tibetan Administration.

The vulnerability has been employed at different stages in threat actor infection chains, depending on the tactics and toolkits used.

Threat Actors Exploit MSDT Follina Bug

It has been used against numerous targets in Nepal, Belarus, the Philippines, India, and Russia. Proofpoint’s vice president of threat research, Sherrod DeGrippo, identified multiple instances of vulnerability exploitation within phishing campaigns.

The vulnerability affects all supported Windows versions, Office ProPlus, Office 2021, Office 2013 through 2019, and Microsoft Office 365, receiving a 7.8 CVSS score.

Government workers impacted by the vulnerability

In addition to targeting various entities across different countries, specialists report attacks on government workers leveraging this vulnerability.

State-sponsored hackers attempted to exploit the Follina vulnerability in Microsoft Office against U.S. and E.U government targets through a phishing campaign.

So far researchers have not identified which government was behind an attack.

MSDT Follina Bug
Emails sent in a phishing campaing to goverment workers

Malicious emails of the phishing campaign contained alluring texts promising in fake recruitment pitches 20 percent boost in salary. To learn more recipients were urged to open an accompanying email attachment.

Sherrod DeGrippo, vice president of threat research at Proofpoint in Twitter tweeted about the similar incident where about 10 company’s customers received over 1,000 messages with the same text.

The post Attackers Exploit MSDT Follina Bug to Drop RAT appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/threat-actors-exploit-msdt-follina-bug-to-drop-rat-and-infostealer/feed/ 0 8385
Critical vulnerability in Office fixed, but macOS update is delayed https://gridinsoft.com/blogs/critical-vulnerability-in-office/ https://gridinsoft.com/blogs/critical-vulnerability-in-office/#respond Wed, 12 Jan 2022 23:25:48 +0000 https://gridinsoft.com/blogs/?p=6906 As part of the January Patch Tuesday, Microsoft engineers fixed a critical vulnerability in Office that could allow attackers to remotely run malicious code on vulnerable systems. The RCE vulnerability identified as CVE-2022-21840 can be exploited on target devices with even the lowest privileges and in simple attacks that require user interaction. Basically, the user… Continue reading Critical vulnerability in Office fixed, but macOS update is delayed

The post Critical vulnerability in Office fixed, but macOS update is delayed appeared first on Gridinsoft Blog.

]]>
As part of the January Patch Tuesday, Microsoft engineers fixed a critical vulnerability in Office that could allow attackers to remotely run malicious code on vulnerable systems.

The RCE vulnerability identified as CVE-2022-21840 can be exploited on target devices with even the lowest privileges and in simple attacks that require user interaction. Basically, the user has to open a special Office document received from the attacker via mail or messenger. Fortunately, it is reported that the Outlook Preview Pane cannot be used as an attack vector.

In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to a user and persuading the victim to open it. If we are talking about an attack scenario over the Internet, then an attacker can create a site (or use a compromised site that accepts or hosts user-generated content) containing a specially prepared file designed to exploit the vulnerability.explains Microsoft.

Alas, renowned cybersecurity expert and CERT/CC analyst Will Dormann adds that the bug can be exploited through the Windows Explorer preview pane. That is, exploitation of the problem is still possible without direct user interaction and opening a malicious Office file. Instead, it is enough to select such a file in the explorer window with the preview pane turned on.

The salt of this situation is that Microsoft has already prepared patches for Microsoft 365 for Enterprise applications and Windows versions of Microsoft Office, but is still working on fixes that eliminate the vulnerability in macOS. Thus, Mac users using Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac will have to wait – there are no fixes for them yet, and the exact release dates have not been reported.

Bleeping Computer notes that in November 2021, Microsoft was also unable to promptly provide Apple users with patches for the actively exploited 0-day vulnerability in Excel. That bug allowed unauthenticated attackers to bypass security mechanisms and launch an attack that did not require user interaction.

Let me remind you that recently we also wrote that Vulnerability in macOS Leads to Data Leakage, as well as that Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities.

The post Critical vulnerability in Office fixed, but macOS update is delayed appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/critical-vulnerability-in-office/feed/ 0 6906
Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities https://gridinsoft.com/blogs/microsoft-patches-117-vulnerabilities/ https://gridinsoft.com/blogs/microsoft-patches-117-vulnerabilities/#respond Wed, 14 Jul 2021 13:54:04 +0000 https://blog.gridinsoft.com/?p=5704 As part of July Patch Tuesday, Microsoft fixed (released patches) for 117 vulnerabilities, of which 13 were classified as critical. That is, the July set of patches is twice as large as the May and June “Patch Tuesday” combined. This time, bugs were fixed in products such as Microsoft Office, SharePoint, Excel, Microsoft Exchange Server,… Continue reading Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities

The post Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities appeared first on Gridinsoft Blog.

]]>
As part of July Patch Tuesday, Microsoft fixed (released patches) for 117 vulnerabilities, of which 13 were classified as critical. That is, the July set of patches is twice as large as the May and June “Patch Tuesday” combined.

This time, bugs were fixed in products such as Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, Windows kernel, Windows SMB, and so on.

44 vulnerabilities were associated with remote code execution, 32 with privilege escalation, 14 with information disclosure, 12 provoked denial of service, 8 allowed bypassing various security functions, and another 7 were associated with spoofing.

In addition, this month the company fixed nine zero-day vulnerabilities at once, four of which have already been used for attacks. The following 0-day issues have been fixed, but hackers haven’t used them yet:

  • CVE-2021-34492: Certificate forgery vulnerability in Windows;
  • CVE-2021-34523: Privilege escalation vulnerability in Microsoft Exchange Server;
  • CVE-2021-34473: Remote Code Execution Vulnerability in Microsoft Exchange Server;
  • CVE-2021-33779: Windows ADFS Bypass Vulnerability;
  • CVE-2021-33781: Active Directory bypass vulnerability.

As for the bugs that hackers have already adopted, one of them is the PrintNightmare problem (CVE-2021-34527), which I described in detail earlier.

By the way, I also reported that Microsoft declares that Printnightmare patch works correctly.

And three other vulnerabilities under attack that were not previously known are:

  • CVE-2021-33771: Windows Kernel Privilege Elevation Vulnerability;
  • CVE-2021-34448: scripting engine vulnerability leading to information corruption in memory;
  • CVE-2021-31979: A privilege escalation vulnerability in the Windows kernel.

Along with Microsoft, other companies have released updates to their products this week.

Patches released:

Let me remind you that a month ago Microsoft specialists also tried Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue.

The post Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-patches-117-vulnerabilities/feed/ 0 5704
Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue https://gridinsoft.com/blogs/six-0-day-vulnerabilities-fixed-in-windows/ https://gridinsoft.com/blogs/six-0-day-vulnerabilities-fixed-in-windows/#respond Wed, 09 Jun 2021 19:12:23 +0000 https://blog.gridinsoft.com/?p=5573 As part of June Patch Tuesday, 50 vulnerabilities in Microsoft products were fixed, including six 0-day vulnerabilities in Windows. Vulnerabilities that have been patched were found in Microsoft Office, .NET Core and Visual Studio, Edge browser, Windows Cryptographic Services, SharePoint, Outlook and Excel. Six zero-day vulnerabilities that were already under attack were also addressed, with… Continue reading Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue

The post Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue appeared first on Gridinsoft Blog.

]]>
As part of June Patch Tuesday, 50 vulnerabilities in Microsoft products were fixed, including six 0-day vulnerabilities in Windows.

Vulnerabilities that have been patched were found in Microsoft Office, .NET Core and Visual Studio, Edge browser, Windows Cryptographic Services, SharePoint, Outlook and Excel.

Six zero-day vulnerabilities that were already under attack were also addressed, with one of these problems clearly using a commercial exploit. The hackers were reported to have exploited the following bugs:

  • CVE-2021-33742: Windows MSHTML Platform Remote Code Execution Vulnerability;
  • CVE-2021-31955: Windows Kernel Information Disclosure Vulnerability;
  • CVE-2021-31956: Windows NTFS Privilege Elevation Vulnerability;
  • CVE-2021-31962: Kerberos AppContainer Bypass Vulnerability;
  • CVE-2021-31199: Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability;
  • CVE-2021-31201: Privilege escalation vulnerability in Microsoft Enhanced Cryptographic Provider.

Details of the vulnerabilities have not yet been disclosed to give users and administrators more time to install patches (before attackers could understand how these bugs can be exploited).

The fact that four of the six issues are privilege elevation vulnerabilities suggests that attackers may have exploited them as part of the infection chain to gain elevated permissions on target systems (to later execute malicious code or steal sensitive information).

However, a little more is known about the CVE-2021-33742 bug (an RCE vulnerability in the MSHTML component, which is part of the Internet Explorer browser). For example, Google analyst Shane Huntley writes on Twitter that this problem is not only used for attacks, but an exploit for it seems to have been developed by a professional commercial vulnerability broker. According to the expert, the exploit was used by government hackers to attack targets in Eastern Europe and in the Middle East.

Microsoft also writes that the patches for CVE-2021-31201 and CVE-2021-31199 are related to the RCE issue CVE-2021-28550, which was fixed by Adobe developers last month.

Traditionally, we note that “update Tuesday” affects not only Microsoft solutions. Other manufacturers have also released patches for their products this week.

Adobe: Announced updates for ten products, fixing 39 different bugs. First place went to After Effects with eight critical vulnerabilities that can be exploited to execute code (all rated 7.8 on the CVSS scale). Five critical issues have been fixed in Acrobat and Reader, all of which allow arbitrary code execution, and two critical flaws have been fixed in Photoshop.

Intel: Issued 29 security bulletins covering 79 different vulnerabilities. More than half of these problems were identified within the company, and another 40% were the result of the bug bounty program.

SAP: The company has submitted 17 security bulletins. Almost all of the bugs fixed were almost harmless, apart from a couple of major problems allowing remote code execution.

Android: Google has fixed over 50 vulnerabilities in its mobile OS, including several critical ones. The most serious of these, CVE-2021-0507, can be used for remote code execution. The bug affects Android 8.1, 9, 10 and 11, as well as another critical flaw, CVE-2021-0516, which can be used for privilege escalation.

Let me remind you that I talked about the fact that Hackers Bypass Firewalls Using Windows Feature.

The post Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/six-0-day-vulnerabilities-fixed-in-windows/feed/ 0 5573