Follina MS Word Vulnerability – all you need to know

Follina – it’s just a clever name

The name Follina comes from an area not far from Venice, in the North West of Italy. While this seems interesting the name is not important. The name comes from an executable file called 05-2022-0438, the 0438 is the area dialling  number for Follina. So while its clever, the name has nothing to do with the vulnerability.

What is the Follina vulnerability?

Criminal gangs are using the vulnerability to target various large-scale organisations in the US and Europe, many of which are government agencies. The phishing email campaign contains a Microsoft Word document that exploits a vulnerability in Microsoft Office to run arbitrary commands once the document is opened by the recipient. The worrying thing is that many Firewalls and email security platforms are not picking up on the vulnerability, leaving organisations exposed. As we know email, which is responsible for approximately 80% of all cyber attacks, is the attack vector of choice for criminal gangs.

Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked CVE-2022-30190 (CVSS score: 7.8). “This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253,” the company said in a series of tweets. The payload, which manifests in the form of a PowerShell script, is Base64-encoded and functions as a downloader to retrieve a second PowerShell script from a remote server named “seller-notification[.]live.”

“This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil[tration] to 45.77.156[.]179,” the company added.

How does the Follina vulnerability work:

  • Exploits a vulnerability in Microsoft Office.
  • You open a booby-trapped DOC file, perhaps received via email or in a Teams or Skype message.
  • The document references a regular-looking https: URL that gets downloaded.
  • This https: URL references an HTML file that contains some weird-looking JavaScript code.
  • That JavaScript references an URL with the unusual identifier “ms-msdt:” instead of “https:”.
  • On Windows, ms-msdt: is a proprietary URL type that launches the MSDT software toolkit.
  • MSDT is shorthand for Microsoft Support Diagnostic Tool.
  • The command line supplied to MSDT via the URL causes it to run untrusted code.

39 security vendors and no sandboxes flagged this file as malicious- read more here from VirusTotal.

Ian Shiel, Operations Director @ CommSec comments, “in terms of what happens with a successful exploit, the answer is it depends. In one case that we are familiar with, the commands executed sent emails to the addresses in the compromised users’ contact list in an attempt to propagate itself. In that case, it set up forwarders on the user’s email account to send email to an external address.

This is a very good example of why a local administrator account and definitely a domain administrator account should not be used for day-to-day work such as reading email. Compromising an admin account gives an attacker much more scope and a larger foothold in your IT environment. This advice is as valid for home PCs as much as it is for managed IT environments”.

Follina Workarounds

A workaround that has been officially endorsed by Microsoft, is to break the relationship between ms-msdt: URLs and the MSDT utility. This means that ms-msdt: URLs no longer have any special significance and can’t be used to force MSDT.EXE to run. If you have administrator level access to your PC you can make this change simply by removing the registry entry HKEY_CLASSES_ROOTms-msdt, if it exists. (If it’s not there, then you are already shielded by this workaround.) More on this here (link to Sophos page)

Windows Domain administrators can also block this using Group Policy (GPO) in a managed environment.

Resolution of Follina

Sophos and some other endpoint protection security platforms will now detect the malicious attachment but not all, so caution is still needed.

Watch the video