Update: On 06/14 Microsoft released a patch to mitigate the risk of this vulnerability dubbed Follina. For Ascend patching customer's this patch was applied during the regular patching window. For all non-patching customer's we recomended applying this patch as soon as possible.
Posted Jun 20, 2022 - 15:49 CDT
Monitoring
CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
Description: A Microsoft zero-day, which has been exploited in the wild since early April has officially been, allocated with CVE-2022-30190 as of May 30th, 2022.
This vulnerability dubbed Follina by threat researcher Kevin Beaumont is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights.
Huntress Labs reported that instead of using Word, using “Rich Text Format file (.rtf) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer. Much like CVE-2021-40444, this extends the severity of this threat by not just “single-click” to exploit, but potentially with a “zero-click” trigger.”
It is important to note that Microsoft has stated: “If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack.” This makes phishing simulations and training vital to protecting against this threat. End users clicking habits and your security posture around phishing attempts is paramount in protecting organizations until a patch is readily available.
Simplified Explanation of How “Follina” works
A straightforward explanations of how the Microsoft Follina zero-day works
· You open a booby-trapped… file · The document references a regular-looking https: URL that gets downloaded · This https: URL references an HTML file that contains some weird-looking JavaScript code · That JavaScript references an URL with the unusual identifier ms-msdt: in place of https (in Windows, ms-msdt: is a proprietary URL type that launches the MSDT software toolkit…) · The command line supplied to MSDT via the URL then causes it to run untrusted code.
Workarounds:
To disable the MSDT URL Protocol Disabling the MSDT URL protocol prevents troubleshooters from being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help Application and in system settings as other or additional troubleshooters. Follow these steps to disable:
1. Run Command Prompt as Administrator. 2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“ 3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
1. Run Command Prompt as Administrator. 2. To back up the registry key, execute the command “reg import filename” Microsoft Defender Detections & Protections Customers with Microsoft Defender Antivirus should turn on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Customers of Microsoft Defender for Endpoint can enable the attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see Attack surface reduction rules overview. Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer: · Trojan:Win32/Mesdetty.A · Trojan:Win32/Mesdetty.B · Behavior:Win32/MesdettyLaunch.A · Behavior:Win32/MesdettyLaunch.B · Behavior:Win32/MesdettyLaunch.C Microsoft Defender for Endpoint provides customers with detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network: · Suspicious behavior by an Office application · Suspicious behavior by Msdt.exe
Ascend Actions / Recommendations
· Using Microsoft’s updated definitions and detection ability of the Vulnerability we have added this threat intel into our other products and investigation tactics.
· As known IOCs become available, we will integrate them into our processes, blocklists, and detection rules throughout our platforms.
· Ascend will continue to follow the situation and further communication will be made when a patch is made available from Microsoft.