A newly numbered Windows zero-day vulnerability (CVE-2022-30190) is being exploited in the wild via specially crafted Office documents (without macros), security researchers are warning.
After initially dismissing the vulnerability as “not a security related issue”, Microsoft has now issued a CVE and has offered a temporary workaround until fixes can be provided.
Boobytrapped office files delivered via email are one of the most common tactics attackers use to compromise endpoints, and they are constantly finding new ways to hide the documents’ malicious nature from existing security defenses, solutions, as well as users/targets.
Attackers have been exploiting Office macros to deliver exploits and malware for ages, but since Microsoft has (finally!) made it so that the default behavior of Office applications is to block macros in files from the internet, attackers are testing new approaches.
In the wild, attackers have been exploiting CVE-2022-30190 (in the meantime dubbed “Follina”) to target Russian and Belarussian targets since April:
Updated the writeup.
Follina was exploited in the wild dating back over a month, themed as "invitation for an interview" at Sputnik Radio, targeting Russia. https://t.co/9Z3asf6SqZ pic.twitter.com/hp1CdLa9Hc
— Kevin Beaumont (@GossiTheDog) May 30, 2022
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022
“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” Microsoft noted in the security advisory released on Monday.
The attack itself is carried out locally, the company explained, but the attacker can be remote.
“Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document).”
Security researcher Kevin Beaumont found by analyzing the latest malicious document leveraged by attackers that “the document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.”
Microsoft says that Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, and that both prevent the current attack.
Both Beaumont and Huntress researchers have noted that, while Protected View will kick in this particular case, changing the document to a .rtf file could trigger the exploit with just the Preview Pane in Windows Explorer and will not trigger Protected View.
“Much like CVE-2021-40444, this extends the severity of this threat by not just ‘single-click’ to exploit, but potentially with a ‘zero-click’ trigger,” Huntress researcher John Hammond noted.
After successful exploitation, attackers have only the system privileges given to the user (account) that interacted with the malicious file, but they can use other exploits to gain higher privileges.
Several security researchers have been trying out PoC exploits and found that Office 2013, 2016, 2021 are vulnerable. The vulnerable nature of other versions is still to be confirmed.
Microsoft advises disabling the Microsoft Support Diagnostic Tool (MSDT) URL Protocol.
Customers using Microsoft Defender Antivirus “should turn-on cloud-delivered protection and automatic sample submission” and those using Microsoft Defender for Endpoint can enable the attack surface reduction rule that blocks Office apps from creating child processes, the company added.
“Another option is to remove the file type association for ms-msdt (can be done in Windows Registry HKCR:\ms-msdt or with Kelvin Tegelaar’s PowerShell snippet),” Hammond also pointed out, but added that changing settings in the Windows Registry “is serious business because an incorrect Registry entry could brick your machine.”
Finally, organizations should (for the millionth time) warn employees not to open unsolicited attachments and, in this case, to not even hover over a downloaded file, but we all know that counting on every user to do this is unrealistic.
Luckily, there is currently no indication that attacks exploiting CVE-2022-30190 are widespread.
Anyhow, don't panic. The previous people using this vuln appear to have disappeared, and I haven't seen any other usage outside of security researchers today.
Ransomware groups use 6 month old Office doc builders and Emotet are probably stoned again.
— Kevin Beaumont (@GossiTheDog) May 31, 2022
UPDATE (June 1, 2022, 04:20 a.m. ET):
“The vulnerability has been proved in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365. It also applies to Windows itself, e.g. it can be called from .lnk files — effectively there are two different issues in my opinion, Office itself using MS Protocol and allowing loading unfiltered from HTML Word templates and Outlook links, and MSDT allowing code execution,” says Kevin Beaumont.
Several documents exploiting the vulnerability been uploaded to VirusTotal and have been detected by various security outfits, some back in April:
TA413 CN APT spotted ITW exploiting the #Follina #0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the "Women Empowerments Desk" of the Central Tibetan Administration and use the domain tibet-gov.web[.]app pic.twitter.com/4FA9Vzoqu4
— Threat Insight (@threatinsight) May 31, 2022
Our threat intel analyst @h2jazi had spotted a sample using the msdt.exe RCE back in April.
At the time, the remote template was already down and therefore full identification was not possible. https://t.co/03UU2ClMhv
— Malwarebytes Threat Intelligence (@MBThreatIntel) May 30, 2022