As hacker groups continue to work to hammer out a previous Windows zero-day that makes it unusually easy to run malicious code on targeted computers, Microsoft has kept a low profile, refusing to even say if it has any plans for a patch.
Late last week, Proofpoint security company said that hackers with ties to known nation-state groups were exploiting a remote code execution vulnerability called Follina. According to Proofpoint, the attacks were delivered in malicious spam messages sent to fewer than 10 Proofpoint customers in European and local US governments.
Microsoft products are a “targeted opportunity”
In an email Monday, the security company added more color, writing:
- Proofpoint Threat Research has been actively monitoring the use of the Follina vulnerability and we uncovered another interesting case on Friday. An email with an RTF file attachment used Follina to finally run a PowerShell script. This script checks for virtualization, steals information from local browsers, email clients and file services, performs a machine check and then compresses it for Exfil via BitsAdmin. Although Proofpoint suspects that this campaign originated with a state-aligned actor based on both Powershell’s extensive reconnaissance and narrow concentration of targeting, we currently do not attribute it to a numbered TA.
- Proofpoint has observed exploitation of this vulnerability through Microsoft applications. We continue to understand the scope of this vulnerability, but at this point it is clear that there are many ways to use it in the suite of Microsoft Office products and additionally in Windows applications.
- Microsoft has released “workarounds” but not a full patch. Microsoft products continue to be a well-targeted opportunity for threat actors, and that’s not about to change in the short term. We continue to release detection and protection capabilities in Proofpoint products as we learn more to help our customers secure their environments.
The security company Kaspersky has also followed you Increase in Follina exploitswith most hitting the US, followed by Brazil, Mexico and Russia.
“We anticipate further attempts to exploit Follina to gain access to corporate resources, including for ransomware attacks and data breaches,” the Kaspersky researchers wrote.
CERT Ukraine also said It tracked exploits on targets in this country that email a file titled “Wage Changes with Accruals.docx” to exploit Follina.
The Secret to Follina’s Popularity: “Low Interaction RCE”
One reason for the high interest is that Follina does not require the same level of victim interaction as typical malicious document attacks. Typically, these attacks require the target to open the document and allow macros to be used. In contrast, Follina does not require the target to open the document and there is no macro to allow. Simple action of the document appearing in the preview window even with Protect View enabled is enough to execute malicious scripts.
“It’s more serious because it doesn’t matter if macros are disabled and it can be easily accessed through Preview,” wrote Jake Williams, director of cyber threat intelligence at security firm Scythe, in a text chat. “It’s not a zero-click like ‘Just submit causes the exploit’, but the user doesn’t have to open the document.”
Researchers who developed an exploit module for the Metasploit hacking framework referred to this behavior as a Remote code execution with little interaction. “I was able to test this in both .docx and rtf format,” wrote one of them. “I was able to get the RTF file to run just by previewing the document in Explorer.”
A botched answer
The enthusiasm that threat actors and defenders have shown for Follina stands in stark contrast to Microsoft’s reluctance. Microsoft was slow to respond to the vulnerability from the start. A academic paper The document, released in 2020, showed how to use the Microsoft Support Diagnostic Tool (MSDT) to force a computer to download and run a malicious script.
Then in April researchers from the Shadow Chaser Group said on Twitter that they had reported to Microsoft that an ongoing malicious spam run was doing just that. Although the researchers included the file used in the campaign, Microsoft dismissed the report of the flawed logic that the MSDT required a password to run payloads.
Finally, last Tuesday, Microsoft declared the behavior a vulnerability with tracker CVE-2022-30190 and a severity rating of 7.8 out of 10. The company has not released a patch, instead issuing instructions to disable MSDT.
Microsoft has said very little since then. The company declined to comment on its plans on Monday.
“For the most part, smaller security teams take Microsoft’s nonchalant approach as a sign that this is ‘just another vulnerability’ – which it most certainly isn’t,” Williams said. “It’s not clear why Microsoft continues to downplay this vulnerability, which is actively being exploited, in the wild. It certainly doesn’t help the security teams.”
Without Microsoft to provide proactive alerts, organizations can only rely on themselves for guidance on the risks and how to expose themselves to this vulnerability. And given the low bar for successful exploits, now would be a good time.
This article was previously published on Source link