CVE-2022-30190 (Follina): What is it & How to Prevent it
On Monday, May 30, Microsoft issued CVE-2022-30190 “Follina”, finding a zero-day remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT). This is an active exploitation in the wild (ITW) with no official patch yet (as of June 7th). Here’s what we know about why it’s so powerful, how it works, and Microsoft’s workaround.
What’s Different About Follina?
Follina, is ranked at 7.8, or high severity, by the National Vulnerability Database (NVD). It is a new exploit that has never been used before, with no available patches as of June 7th. Follina takes advantage of Word’s remote template feature that allows retrieval of an HTML file from a remote server, where PowerShell or other scripts can be executed. This exploit has broad-reaching impact on “ordinary” users. The only two qualifiers (currently) are:
- You are a Microsoft Windows user
- You preview, open, or download this Word doc.
It’s pretty easy for anyone to get it caught in.
In recent history, Microsoft Office exploits have happened through macros, scripts that automate tasks in Microsoft Office. Simply opening documents in Protected Mode disables the macros, keeping the user protected. But Protected Mode has no impact on this particular exploit.
Hackers are using MSDT to gain remote access and run their code. All versions of Windows have MSDT, including the most recent version, 11. It’s been uncovered that Windows users attempted to notify Microsoft of the vulnerability for 22 months but were disregarded.
How Does Follina Work?
So far, all the attacks reported have been delivered through a phishing email. The target receives an innocuous email with a word document attached or linked. The target attempts to open, download, or preview the word document.
The MSDT troubleshooting window pops up with a message about program compatibility. Once this happens, you are already hacked.
While that MSDT tool runs, Microsoft Word uses a file protocol handler to reach out to an external reference staged with an HTML payload. A remote code is executed, giving the hacker direct access to the target’s systems through a reverse shell. The hacker can now run PowerShell commands or command prompt commands or launch a reverse shell remotely from the target’s PC.
Here’s how Microsoft describes it:
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights.
Once the hacker gains control, they can move through the system laterally, escalate privileges, plant trojan horses, etc.
The exploit has been found on the latest version, Microsoft Windows 11; there does not appear to be a version safe from it.
But there is a workaround!
How to Prevent Follina From Happening
Until an official patch comes out, Microsoft recommends disabling the MSDT URL Protocol. Disabling the MSDT URL protocol prevents troubleshooters from being launched as links and protects your PC from Follina taking root. Follow these steps to disable the MSDT URL protocol:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
- Run Command Prompt as Administrator.
- To restore the registry key, execute the command “reg import filename”
Protect From Future Follina-like Attacks With This 3-Pronged Security Strategy:
Your security stack needs to include these three areas of defense to prevent remote-access exploits:
- An email solution ex: Proofpoint
- An endpoint detection and response (EDR) solution ex: Falcon or FE-HX
- A network-based detection solution like ThreatEye NV
Each product serves a different function and role due to its capability and visibility.
The roles are as follows:
- Email Security provides email detection, blocking, and filtering. An example of this would be Proofpoint.
- Endpoint Security provides endpoint detection and response (EDR), host-based forensics, and containment. An example of this would be Falcon/HX.
- Network Security provides network detection and response (NDR), scoping, and ML-based behavioral analysis. LiveAction’s ThreatEye NV is the solution to meet these needs.
In the case of the Follina exploit, a workflow with the suggested stack of technologies would look like this:
- The Email Security system can detect the phishing email, but if it fails, the following line of defense will kick in depending on the user’s actions.
- Let’s say the user opens the attachment
- Once the attachment is pulled into the system, the EDR solution will analyze the binary file for exploits, but we move on to our third line of defense if that fails.
- If the Email Security and EDR both fail to detect Follina, we now have an active exploit beginning to generate network activity.
- The NDR, ThreatEYE NV, comes into play at this point for detection, seeing the unknown external IP and the remote access events for initial access.
- Meanwhile, the attacker gets reverse shell access to the command line and starts poking around the environment, escalating privileges, etc.
- If they download another binary, say a second stage backdoor for C2, we could also monitor and detect this, generating alerts for this behavior, and so on with lateral movement.
There are unique capabilities to every solution. ThreatEye NV’s intelligence-based algorithms transcend the limitations of traditional cybersecurity products that threat actors can outsmart. It integrates brilliantly, wrapping its arms around conventional security solutions and pairing well with EDRs and email scanners to fill any existing visibility gaps.
ThreatEye NV enters at the second point of detection after the initial phishing email is opened,when the document in calls back to the attacker’s infrastructure. ThreatEye NV detects the remote access event via several behavioral analytics and analyzers like RDP, SSH, and PSH.
This is where our event correlation engine (ECE) really shines. Our ECE triangulates malicious activity based on several anomalous events and variables provided by our analytics engine rather than simply scanning a database for signature detection.
We scope, detect and mitigate the hacker within the environment detecting pre and post-exploit events and anomalies, so whether it’s a known exploit or something day-zero, it’s in our line of sight.