The so-called Follina vulnerability in Microsoft Office is not unknown, but was obviously underestimated: hackers are already using it as a gateway to inject ransomware with manipulated documents and spy out data. The IT security consultants at KALWEIT ITS warn that precautionary measures are necessary.
The Microsoft Windows Support Diagnostic Tool (MSDT) has the vulnerability DVE-2022-30190, which has meanwhile gained some notoriety under the name “Follina”: At the end of May, an IT security company, Proofpoint, published a report on the attack by Chinese hackers on the International Tibetan Community. Apparently, the vulnerability was used to inject manipulated documents and use them to execute Powershell commands. And the effort is not even very big.
The Follina Gap and its destructive potential
This puts the IT security of entire organizations at risk, as Philipp Kalweit, Managing Director of KALWEIT ITS GmbH, emphasizes: “The Follina vulnerability is not only suitable for easily spreading malware, but also for having data spied out.” The perfidious: This vulnerability is relatively easy to exploit. Just downloading the prepared Office document and loading the preview in Windows Explorer can be enough to activate the malicious code.
“This means that a user does not even have to open the document – so the hurdle for the malware is extremely low.” This also explains the term zero click exploit, which is already circulating in specialist circles.
Another special feature is noteworthy: The exploit does not use VBA macros, the implementation of which has already proven to be susceptible to such attacks, but uses the ms-msdt protocol. This is generally activated in Microsoft Windows versions 7 and higher, but also in the server versions from Windows Server 2008 upwards for automatic troubleshooting – the potential of these cyber attacks is therefore enormous.
According to Philipp Kalweit, the assumption that only selected Microsoft Office versions have the Follina gateway is also becoming overly optimistic: “There are more and more indications that Microsoft Office applications play no role, since other attack vectors are also identified could. So far, however, hacker attacks appear to have focused on Office documents, which are manipulated in such a way that they act as the primary mode of malicious code distribution.”
Microsoft corrects its own Follina risk assessment
It is also noteworthy that this vulnerability was not discovered until the end of May: CrazymanArmy, a researcher on IT security, tweeted a screenshot showing his error message to Microsoft dated April 12, 2022. There was no reaction from there, on the contrary, the report was rejected and the problem classified as not relevant to security. In the meantime, the In Microsoft Security Response Center (MSRC) has confirmed the severity of the Follina vulnerability with a score of 7.8 out of 10 and reports that work is being done on a security update.
This is also urgently needed, because more and more attacks are being reported: For example, on June 3, 2022, Proofpoint reported on Twitter about an email-based campaign directed against European and US administrations. Reported attacks in oceanic space and on Ukrainian authorities have not yet been confirmed. However, the BSI reacted, on May 31, 2022, warning level 3 or orange was declared. This level is the second highest and means that the IT threat situation is definitely business-critical and regular operations must be expected to be massively disrupted.
Identical security recommendation from BSI and Microsoft
It is not yet clear when Microsoft will carry out the security update. All the more important are the recommendations by the BSI and Microsoft to initially deactivate the MSDT URL protocol handler using the registry keys. Kalweit therefore advises: “We definitely recommend these precautions in order to be able to close the gateway, which is currently wide open and surprisingly easy to use, at least until the gap has been repaired.”
To do this, the command prompt must be followed with administrator rights. A backup of the registry key can be made in order to be able to restore it after the security update or if other problems occur. The command required for this is [reg export HKEY_CLASSES_ROOTms-msdt Mein_Dateiname] – each without parentheses. The registry key can then be entered with the command [reg delete HKEY_CLASSES_ROOTms-msdt /f] to be deleted.
#Follina #vulnerability #underestimated #online #portal #Management