Follina Zero-Day Vulnerability - Proceed with Caution!
On Friday, May 27th a cybersecurity notice was posted by researchers reporting a zero-day vulnerability using Microsoft Office. Known as Follina, this vulnerability uses bogus Word document attachments to infect and remotely execute malicious code on a user’s device. Experts are calling for organizations to be especially vigilant when opening unexpected .doc attachments.
Umbrella continues to remain proactive to combat bad actors and cybersecurity threats. To help you better understand the seriousness of this vulnerability, how we are defending against it, and what you can do to remain vigilant we have written this article.
Current State Summary- Follina Zero Day Vulnerability
The goal of any cybersecurity attack is to work quickly to infect a device and extract information. The Follina zero-day vulnerability makes use of how the ms-msdt handles URLS to accomplish this. To simplify, Follina calls on the ms-msdt to quickly execute code and infect a computer. At this time Microsoft is reporting that this threat impacts all Microsoft supported versions of Office. According to SentinelOne, a cybersecurity attack prevention platform, calls to the ms-msdt with code execution are being reported of being exploited in Microsoft, .doc and .rtf files.
Key takeaways include:
- It’s been reported that Chinese APTs may have been exploiting Follina since the start of April of 2022. In addition, Microsoft confirmed that their Microsoft Windows Support Diagnostic tool contained a vulnerability.
- On Friday, May 27th, 2022 the Twitter user nao_sec tweeted about a Microsoft Word attachment that was being used to deploy HTML and execute Poweshell Since then, reports have been made by numerous sources.
- These malicious PowerShell commands execute via ms-msdt , otherwise referred to as Arbitrary Code Execution (ACE) attacks when opening or previewing Word documents.
- The vulnerability is working in a similar manner to what was observed with Log4j. This malicious code works quickly to infect a computer.
- Methods of execution and the outcomes of this vulnerability continue to expand as it continues to gain more exposure to researchers.
Umbrella’s response to the Follina Vulnerability
- Our Centralized Services team completed testing to confirm that SentinelOne is catching attachments that contain the exploit.
- Updated our security script to include new registry keys based on SentinelOne’s most recent recommendations.
- For our organizations that do not use SentinelOne, Centralized Services has also deployed a workaround from Microsoft to lock down the exploit which involves removing a Root Key in the registry for ms-msdt. Our testing has shown that this is successful.
- We are continuing to monitor new developments regarding Follina Vulnerability and will work to remain proactive to ensure we are staying ahead of this serious threat.
How you can protect your organization against Follina.
- Share this information with your organization, colleagues, family, and social networks.
- Use extreme caution when looking at Microsoft Word attachments. The Vulnerability can execute code on a system even when just previewing the malicious .doc.
- Umbrella’s clients can continue with standard practices for reporting suspicious or unexpected emails in your inbox and follow these best practices:
- Do not open emails or download software from untrusted sources
- Do not click on links or attachments in emails that come from unknown senders
- Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
- Always verify the email sender’s address, name, and domain
Umbrella continues to remain proactive and is here to protect and support our clients as we work to keep organizations’ secure. These cybersecurity threats are serious, and we remain vigilant in staying ahead of cyber threats. As always, we ask that you report anything that is out of the ordinary or doesn’t feel right.
Additional information on Follina for IT Professionals
As reported by The Bleeping Computer steps can be taken to disable the MSDT URL and protect against threats. We’ve shared a quick summary of what you can do to disable the URL; you can visit Bleepingcomputer.com for their full story.
To disable the MSDT URL protocol on a Windows device, you have to go through the following procedure:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt ms-msdt.reg”
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”