Background
Microsoft recently published an advisory on a newly identified zero-day vulnerability that affects Microsoft Support Diagnostic Tool (MSDT). CVE-2022-30190, which is being exploited in the wild, has been dubbed Follina by industry researcher Kevin Beaumont.
What is Follina?
Follina (CVE-2022-30190) is a zero-day vulnerability affecting MSDT (Microsoft Windows Support Diagnostic Tool). After Microsoft made Office applications block macros in files from the internet by default, threat actors have used novel techniques to weaponize Office documents.
MSDT is an application that automatically collects diagnostic information and sends it to Microsoft when Windows experiences an issue. When MSDT is called using the URL protocol from an application, such as Word, a remote code execution (RCE) vulnerability exists, enabling threat actors who successfully exploit the vulnerability to run arbitrary code with the privileges of the calling application. This allows the threat actor to install programs, view and change data, delete data, or create new accounts. Although the attack is carried out locally, the threat actor can interact remotely.
Security researchers at Nao_sec identified a Word document in the wild that exploits CVE-2022-30190. Kevin Beaumont provided an explanation of how the exploit works. To exploit CVE-2022-30190, a threat actor can send a malicious document, likely delivered via spearphishing, to a victim. The malicious document contains a regular-looking URL that is downloaded. The URL uses https: but references an HTML file containing JavaScript, which in turn references another URL with the identifier ms-msdt: in place of https:. URLs beginning with ms-msdt: launch MSDT. In this case, the command line sent to MSDT causes it to run untrusted code. Threat actors have crafted parameters that use /skip and /force to remotely control the MSDT troubleshooter and to invoke a PowerShell script, which can be supplied via scrambled source code in the command line. Threat actors can also use an RTF file instead of an Office file for the exploit. When an RTF is used, simply previewing the document in the thumbnail preview pane in Windows Explorer can trigger the exploit.
According to Proofpoint, the Chinese threat actor group TA413 has been observed exploiting CVE-2022-30190. The group is using URLs to deliver Zip archives containing Word Documents that use the technique described above. Security researcher Cas van Cooten has made a proof of concept (POC) using the technique available on Github.
Mitigation
In their advisory, Microsoft offered a temporary workaround for the vulnerability.
According to Microsoft, disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links throughout the operating system. This can be done using the following steps:
IOCs
PolySwarm has multiple samples of CVE-2022-30190 related exploits.
fe300467c2714f4962d814a34f8ee631a51e8255b9c07106d44c6a1f1eda7a45
710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfa
PolySwarm is monitoring for additional exploits leveraging the Follina vulnerability and will make them available in our portal.
You can use the following CLI command to search for all Follina samples available in our portal:
$ polyswarm link list -f Follina
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports