Attackers are leveraging Follina. What can you do?
As the world is waiting for Microsoft to push out a patch for CVE-2022-30190, aka “Follina”, attackers around the world are exploiting the vulnerability in a variety of campaigns.
A complex vulnerability
Microsoft has described CVE-2022-30190 as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability, confirmed it affects an overwheming majority of Windows and Windows Server versions, and advised on a workaround to be implemented until a patch is ready.
Vulnerability analysts and security researchers have shared their own view of the complexity of the issue(s) behind that one CVE:
It's up to MS to define what they want CVE-2022-30190 to be. But I predict it'll be the PowerShell injection on the PCWDiagnostic component.
If you're only focusing on the protocol, that's sort of like picking a web browser CVE out of thin air for an attack starting with http://— Will Dormann (@wdormann) June 1, 2022
My take on the three different Follina issues.
Fix all three in coming months, close attack surface. https://t.co/TlBT2vsYKm
— Kevin Beaumont (@GossiTheDog) June 2, 2022
The wider security community has been poking and creating proof-of-concept exploits for the flaw, as well as converting MSDT exploits so they can be used with other protocol handlers for a different kind of attack.
Attacks in the wild
After the attacks spotted in April and May, which revealed the existence of the flaw and its active exploitation to the wider security community, reports soon started trickling in about other campaigns leveraging it across the globe:
Malware signed by stolen certificates is using #Follina vulnerability to spread evil #AsyncRAT into the #Palau paradise. Seems targeted. Read more on #AvastDecoded https://t.co/hxHsYwEGU4
— Avast Threat Labs (@AvastThreatLabs) June 3, 2022
#Follina CVE-2022-30190https://t.co/uo7yZDWxSu
.RTF
Employment Agreement
Submitted: 2022-06-02 22 – PH
URL: http://45.76.53[.]253/1.html
Payload: https://seller-notification[.]live/Zgfbe234dg
Gathers info from browsers, registry, user accounts etc
Uploads ZIP to 45.77.156[.]179 pic.twitter.com/c9E0G1PLvM— Kimberly (@StopMalvertisin) June 3, 2022
Ukraine 🇺🇦 : Ukrainian CERT announces that #cyberattacks targeted Ukrainian government organizations using:
– booby-trapped emails
– Cobalt Strike Beacon malware
– CVE-2021-40444 and CVE-2022-30190The origin of the attack is not specified.
Via @_CERT_UAhttps://t.co/Ti0aBgzBGa
— Cyber, etc… (@cyber_etc) June 2, 2022
What can defenders do until patches are released?
We have already mentioned Microsoft’s advice, which involves disabling the MSDT URL protocol.
ACROS Security has released free micropatches for various editions of Windows and Windows Server, to be used via their 0patch agent.
SANS Senior Instructor Jake Williams recently answered plainly a number of questions regarding Follina, possible mitigations, and how to detect exploitation attempts.
Security companies have been adding signatures and rules for detecting malicious documents exploiting CVE-2022-30190, as well as providing general advice.