14. 06. 2022 Mirko Ioris Red Team, SEC4U

How People Reacted to Follina, the New 0-day

Zero-day vulnerabilities pose a serious threat in the field of cybersecurity. These flaws are usually discovered and exploited by criminals before security researchers even know of their existence. Because of this, we call them 0-day. It indicates the amount of time the “good people” have had to study and solve the problem. So if this number is zero, it’s certainly bad news.


What is Follina?

It’s a Remote Code Execution Vulnerability in Microsoft Windows’ Support Diagnostic Tool (MSDT), that allows a remote attacker to execute arbitrary shell commands on the target system. Officially recognized as CVE-2022-30190, it was renamed Follina by Kevin Beaumont, one of the first to document it.

I’m calling it Follina because the spotted sample on the file references 0438, which is the area code of Follina in Italy.

Kevin Beaumont

The vulnerability relies on a call to the MSDT via the URL protocol from a calling application that can be for instance Microsoft Word. In this scenario, a Word document loads malicious code from a remote web server and passes it to the MSDT executable via the ms-msdt protocol. As soon as someone opens the document, or even just loads a preview of it, the downloaded PowerShell code is executed. The attacker can precompile this code that will then run with the privileges of the user who opened the infected file.

John Hammond reported a more detailed analysis of the vulnerability, if you’re interested in further reading. He also provided an example of its exploitation:

A video with the working exploit published on Twitter

Test and Detection

Fortunately, even in the worst case of a zero-day vulnerability, there are many security enthusiasts investigating the problem and doing their best to inform the community. Several people like the following have started to gradually reproduce the exploit on various machines and publish detection rules:

This list is only a small part of the community’s contributions and shows us how quickly researchers can act and work to ensure a high level of safety for all of us.

Our approach

We in the SOC Team at Würth-Phoenix worked on the vulnerability to simulate a successful attack and test the efficiency of our detection rules. We used the PoC mentioned above in a controlled environment and executed the exploit.

The core part of the exploit, which opens the calculator if the Word doc is opened

Note: in a real scenario an attacker will not open the calculator, but rather will try to gain control of the machine.

The exploit in action in our controlled environment

Through our Elastic SIEM we can monitor the status of our devices and generate alerts in case of anomalies. The Follina exploit in the previous image was correctly detected with a rule created specifically for its detection.

Alerts raised with the execution of the exploit
The rule we are using, courtesy of sigma rule.

Follina is also detected with a generic rule that monitors unusual child processes. This works because the msdt.exe instance is not normally launched from a Word document and this peculiarity is detected.

Follina detected as a suspicious child process.

Takeaway

Follina was disclosed on May 27 and at the time of publishing this post, 18 days later, we are still waiting for an official patch to fix the problem. At the moment, what Microsoft has been able to provide us with are just a few mitigations. These reduce the likelihood of Follina being exploited, but do not represent an ultimate solution. While we wait, we can count on the ongoing work of security specialists. And remember to always be wary of opening documents if we are unable to assess their trustworthiness.

Mirko Ioris

Mirko Ioris

Technical Consultant - Cyber Security Team | Würth Phoenix

Author

Mirko Ioris

Technical Consultant - Cyber Security Team | Würth Phoenix

Leave a Reply

Your email address will not be published.

Archive