At the end of last week, @nao_sec, an independent cyber security research team, tweeted about a malicious Microsoft Word document submitted from Belarus that leverages remote templates to execute a PowerShell payload using the "ms-msdt" MSProtocol URI scheme. Additional developments over the weekend identified the issue as a new unpatched vulnerability in Windows. A successful attack results in a remote, unauthenticated attacker taking control of an affected system. A publicly available Proof-of-Concept soon followed.
This issue is referred to as “Follina’ and has a CVE assignment of CVE-2022-30190.
The name of the vulnerability is credited to security researcher Kevin Beaumont. "Follina" was derived from his analysis of the 0-day that contained code referencing "0438", which is the area code of Follina, Italy. Most of the time, it’s a bad sign when a vulnerability is crowned with a unique name (having a mind-shaking logo is usually the last dagger – such as Heartbleed, Shellshock, and EternalBlue, but thankfully, this issue is not in the same league as those.
As FortiGuard Labs is on high watch for the development of proof of concept code for CVE-2022-30190, this blog intends to raise awareness of this critical vulnerability and to urge administrators and various organizations to take quick corrective action until Microsoft releases a patch.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Full Control of Affected Machine
Severity level: Critical
The first question you probably would ask is how bad this vulnerability is. CVE-2022-30190 is rated as CVSS 7.8 (Critical), and there are a number of reasons for it.
This vulnerability is in the Microsoft Support Diagnostic Tool (MSDT), a tool from Microsoft that collects and sends system information back to Microsoft Support for problem diagnostics, such as issues with device drivers, hardware, etc. This tool is in all versions of Windows, including Windows Server OS. Because of the lack of an available patch from Microsoft (as of June 1st, 2022), machines that are not protected by endpoint software or a mitigation strategy are vulnerable to Follina.
As proof-of-concept code is publicly available, this code can be freely used by security researchers, administrators, and threat actors alike. As such, attacks that leverage CVE-2022-30190 are expected to increase over the next few days and weeks.
Protected View, a feature in Microsoft Office that opens Office documents in read-only mode with macros and other content disabled, can prevent this attack. However, reports from researchers have revealed that if a document is converted to Rich Text Format (RTF) format, simply previewing the document in Windows Explorer can trigger the exploit, bypassing Protected View. At the time of writing, Microsoft’s latest advisory has not confirmed this nor whether this is another exploitation vector.
On a side note, despite using “remote” in the vulnerability name, the attack happens locally, and user interaction is required for the attack to work. Microsoft’s advisory calls out this point: “The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.”
Additionally, the vulnerability has already experienced in-the-wild attacks. As shown in the timeline at the end of this blog (see Timeline), a series of initial attacks were reportedly observed in March 2022, targeting the Philippines, Nepal, and India. Additional files were submitted to VirusTotal from Russia and Belarus. Those attacks were most likely targeted attacks as the domains involved reveal little activity in our telemetry.
Due to the severity of the vulnerability, the United States Cybersecurity & Infrastructure Security Agency (CISA) issued an advisory on May 31st, urging users and administrators to apply necessary workarounds as soon as possible.
The vulnerability that exists within msdt.exe is the Microsoft Support Diagnostic Tool. Normally, this tool is used to diagnose faults with the operating system and then report and provide system details back to Microsoft Support.
The vulnerability allows a malicious actor to effectively execute arbitrary code with the same privileges as the application calling it. As has been the case with the original reporting of this from @nao_sec and subsequent experimentation in the wider security community, the calling application is quite often a tool in Microsoft Office (Word, Excel, Outlook, etc.).
As shown in Figure 2, the document found by @nao_sec used an embedded OLE Object inside a Word document that was modified to call an external website to download an HTML document. This document then invoked msdt.exe, followed by several PowerShell commands.
Figure 3 shows the original HTML payload, which required several lines with the letter ‘A’ (61) to be commented out of the script in order to execute. MSDT was then invoked using character and Base64 encoding to obfuscate the actual command.
Many further examples have been uploaded to VirusTotal that invoke Calc and other benign Windows tools as a method to test the vulnerability without causing damage.
The TA413 APT group, a hacking outfit linked to Chinese state interests, has adopted this vulnerability in attacks against the international Tibetan community. As observed on May 30 by security researchers, threat actors are now using CVE-2022-30190 exploits to execute malicious code via the MSDT protocol when targets open or preview Word documents delivered in ZIP archives. Campaigns have impersonated the ‘Women Empowerments Desk’ of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.
The security researchers also spotted DOCX documents with Chinese filenames being used to install malicious payloads detected as password-stealing Trojans via "hxxp://coolrat[.]xyz".
At the time of writing, researchers have discovered limited exploitation of the vulnerability in the wild. One instance of active exploitation of ‘Follina’ was conducted by Chinese APT actor ‘TA413’.
At the time of this writing, all known attacks used Microsoft Word document files that were most likely delivered via email. Theoretically, any applications that allow an OLE object to be embedded would be a viable execution mechanism.
In the Wild Attack
One of the real-world attacks that leverage CVE-2022-30190 is a Microsoft Word file submitted to VirusTotal from Saudi Arabia on June 1st (SHA2: 248296cf75065c7db51a793816d388ad589127c40fddef276e622a160727ca29), which MalwareHunterTeam posted in a tweet:
The doc file retrieves an HTML file from 212[.]138[.]130[.]8/analysis.html, which abuses MSDT to fetch the next stage payload “svchost.exe” from a remote location and then execute it.
The Saudi Arabian DOCX document eventually leads to the download and execution of an executable. This executable (SHA256: 4DDA59B51D51F18C9071EB07A730AC4548E36E0D14DBF00E886FC155E705EEEF) is a variant of Turian, which was analyzed by ESET (https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/) almost a year ago. This current variant uses the same one-byte XOR key (0xA9) as the previously analyzed Turian sample.
This sample also has the functionality to try and determine what role the infected computer plays in the domain.
Similar to the old Turian sample, this variant uses the same headers to connect to the C2 server.
This sample creates “tmp.bat”, which is used to set RUN keys in the registry for persistence purposes.
Note the mixed usage of upper and lowercase letters, which is the same as the old Turian sample.
This latest variant uses www[.]osendata[.] com as its C2 server.
Another Turian sample similar to this latest variant has a SHA256 hash of 34DC42F3F486EC282C5E3A16D81A377C2F642D87994AE103742DF5ED5804D0F7 and a C2 server of www[.]tripinindian[.]com.
Microsoft has provided the following mitigation steps in a blog posted on May 30th, 2022.
CISA also urged admins and users to disable the MSDT protocol on their Windows devices after Microsoft reported active exploitation of this vulnerability in the wild.
Disabling the MSDT URL Protocol:
Disabling the MSDT URL protocol prevents troubleshooters from being launched as links, including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in System Settings as other or additional troubleshooters. Follow these steps to disable:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOTms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOTms-msdt /f”.
How to undo the workaround
- Run Command Prompt as Administrator.
- To restore the registry key, execute the command “reg import filename”
Timeline of CVE-2022-30190 based on information gathered by FortiGuard Labs:
CVE-2022-30190 has the potential to have significant impact due to its ease of exploitation and ability to bypass Protected View, along with the availability of new PoC code and the lack of a security fix. Administrators and users should monitor updates from Microsoft and apply the patch as soon as it becomes available. Until then, mitigation should be applied as soon as possible.
The FortiGuard Antivirus service detects and blocks files associated with CVE-2022-30190 with the following signatures:
Regarding IPS coverage, the following signature will detect the retrieval of remote HTML files that contain the MSDT command:
The FortiGuard Content Disarm and Reconstruction (CDR) service can detect the attack in real-time and prevent it by disarming the "oleobject" data from Microsoft Office files.
All relevant URLs have been rated as "Malicious Websites" by the FortiGuard Web Filtering service.
For a comprehensive list of Fortinet technologies that prevent exploitation of CVE-2022-30190, please refer to our Outbreak Alert Service page, “MSDT Follina.”
As these attacks require user interaction, it is also suggested that organizations regularly schedule user awareness and training simulations on how to spot a social engineering attack. Fortinet has multiple solutions designed to train users on how to understand and detect phishing threats:
FortiEDR detects post-exploitation behavior associated with the CVE-2022-30190 vulnerability. A KB article detailing how FortiEDR can mitigate this issue can be found here.
We suggest that organizations have their end users go through our FREE NSE training: NSE 1 – Information Security Awareness. It includes a module on Internet threats to train end-users on how to identify and protect themselves from phishing attacks.
In addition, the FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and train and reinforce proper practices when users encounter targeted phishing attacks.