doublepulsar.com Open in urlscan Pro
52.1.147.205  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign In

Get started


Home
Notifications
Lists
Stories

--------------------------------------------------------------------------------

Write




RESPONSES (7)



What are your thoughts?

Cancel
Respond

Also publish to my profile

There are currently no responses for this story.

Be the first to respond.

Published in

DoublePulsar

You have 2 free member-only stories left this month.

Sign up for Medium and get an extra one



Kevin Beaumont
Follow

May 29

·
9 min read
·

Listen



Save







FOLLINA — A MICROSOFT OFFICE CODE EXECUTION VULNERABILITY

Two days ago, on May 27th 2022, Nao_sec identified an odd looking Word document
in the wild, uploaded from an IP address in Belarus. This turned out to be a
zero day vulnerability in Office and/or Windows.



This caught my attention, as Defender for Endpoint missed execution:



The document uses the Word remote template feature to retrieve a HTML file from
a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load
some code and execute some PowerShell.

That should not be possible.

That code does this, when decoded:



There’s a lot going on here, but the first problem is Microsoft Word is
executing the code via msdt (a support tool) even if macros are disabled.
Protected View does kick in, although if you change the document to RTF form, it
runs without even opening the document (via the preview tab in Explorer) let
alone Protected View.

Most importantly, we need to name this and give it a crap logo:


The official Follina vulnerability logo, carefully made in Microsoft Paint

I’m calling it Follina because the spotted sample on the file references 0438,
which is the area code of Follina in Italy.


IN ENGLISH, SO WHAT

It’s a zero day allowing code execution in Office products. Historically, when
there’s easy ways to execute code directly from Office, people use it to do bad
things. This breaks the boundary of having macros disabled. Vendor detection is
poor.


ADDITIONAL IN THE WILD SAMPLES

Over a month ago (back in April 2022), a file themed “invitation for an
interview” with Sputnik Radio targeting a user in Russia, was uploaded to
VirusTotal.



This document directly exploits Follina vulnerability. It was reported to
Microsoft, who decided it wasn’t a security issue (see timeline below).

Here is Follina being exploited, to an unknown payload:



Also in April, there is another Russia themed document exploiting Follina:



Hash fe300467c2714f4962d814a34f8ee631a51e8255b9c07106d44c6a1f1eda7a45

And another even earlier Follina themed document, this one attempting to lure a
victim using sexual misconduct allegations:



Hash d61d70a4d4c417560652542e54486beb37edce014e34a94b8fd0020796ff1ef7

Since this writeup post went live, Proofpoint report Chinese threat actor TA413
is also exploiting this vulnerability:




SCOPE

I’ve tested this on various rigs and it works more common than not. For example,
here is Windows 10, not local admin, with macros fully disabled, with Defender,
with Office 365 Semi-Annual Channel, casually popping calc on open of a Word
document:



However, with the Insider and Current versions of Office I can’t get this to
work — which suggests Microsoft have either tried to harden something, or tried
to fix this vulnerability without documenting it. This appears to have happened
around May 2022. Another entirely possible option is I’m too much of an idiot to
exploit it on those versions, and I’ve just messed something up.

Update: the vulnerability appears exploitable using .RTF files on all versions
of Office 365, including current channel.

The vulnerability has been proved in Office 2013, 2016, 2019, 2021, Office
ProPlus and Office 365. It also applies to Windows itself, e.g. it can be called
from .lnk files — effectively there are two different issues in my opinion,
Office itself using MS Protocol and allowing loading unfiltered from HTML Word
templates and Outlook links, and MSDT allowing code execution.

Rich still sees it working in Office Pro Plus from April, with a little video:



Didier Stevens demonstrates the exploit working on a patched version of
Microsoft Office 2021:



Office 2019 with latest patches is also vulnerable:




DETECTION


DEFENDER FOR ENDPOINT

I’ve written a Defender for Endpoint query, which you can use if you’re rich and
have E5. You can save this as under “Custom detection rules” if you want
Defender to alert you. Currently it fully misses detection at this stage.


THREATHUNTING/FOLLINA-OFFICE.AHQ AT MASTER · GOSSITHEDOG/THREATHUNTING


YOU CAN'T PERFORM THAT ACTION AT THIS TIME. YOU SIGNED IN WITH ANOTHER TAB OR
WINDOW. YOU SIGNED OUT IN ANOTHER TAB OR…

github.com



> DeviceProcessEvents| where ProcessCommandLine contains “msdt.exe”| where
> InitiatingProcessFileName has_any (@”WINWORD.EXE”, @”EXCEL.EXE”,
> @”OUTLOOK.EXE”)


TRELLIX




SIGMA AND AURORA LITE




NON-MALICIOUS PROOF OF CONCEPTS

Antivirus providers will probably start blocking these as malicious (they
aren’t) but here’s a public PoC .docx.

https://app.box.com/s/9oz1r90tzs7bstl0xy3zzfc8m92cqhcu

Here’s a GitHub repo to make a PoC:



Note that there’s different ways to trigger this, and I’ve seen some researchers
with PoCs that don’t work as they don’t load the remote template at all.


TEMPORARY MITIGATIONS

Will has a suggestion — remove the ms-msdt URI schema registry key (requires
local administator rights). You can do this via Group Policy Preferences, also.



Update: Microsoft have issued a mitigation on May 30th 2022 which is essentially
the same:

> Run Command Prompt as Administrator.
> 
> To back up the registry key, execute the command “reg export
> HKEY_CLASSES_ROOT\ms-msdt filename“
> 
> Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

A Group Policy mitigation for MSDT element, which is really good and easy to
deploy:



Put simply:

Group Policy Editor -> Computer Configuration -> Administrative Templates ->
System -> Troubleshooting and Diagnostics -> Scripted Diagnostics Set
“Troubleshooting: Allow users to access and run Troubleshooting Wizards” to
“disabled”


HOW MIGHT THIS EVOLVE?

We’ll see. Microsoft are going to need to patch it across all the different
product offerings, and security vendors will need robust detection and blocking.
Microsoft will probably point towards Protected View, however Protected View
also applies by default to all macros, and Office macro malware is most
definitely a major problem regardless.

Update: Microsoft have indeed pointed to Protected View, saying it “prevent” the
attack. I think this is stretching the truth — for example, if the document is a
.RTF file and is opened Preview in Explorer, Protected View doesn’t apply and it
becomes a zero click exploit. Microsoft know this, they just aren’t mentioning
it to customers.



Additionally, you can use MS Protocol URI schemes in Outlook emails.

Detection is probably not going to be great, as Word loads the malicious code
from a remote template (webserver), so nothing in the Word document is actually
malicious.


OTHER ISSUES

As a side note, the attack surface of MS Protocol in Office is extremely large —
here’s a prior blog on it:


ABUSING THE MS OFFICE PROTOCOL SCHEME


DURING A RESEARCH PROJECT, SYSS IT SECURITY CONSULTANT MATTHIAS ZÖLLNER FOUND
OUT THAT IN A STANDARD INSTALLATION OF…

blog.syss.com

As an example, you can send an email with this text as a hyperlink:

ms-excel:ofv|u|https://blah.com/poc.xls

And Outlook will gladly let the user click the hyperlink and open the Excel
document. You can even change the text to be something friendly, like “Invoice”.
Because the document isn’t attached to the email, and the URI doesn’t start with
http or https, most email gateways are going to let that sucker straight through
as nothing appears malicious.

….and, when you look at the default Windows URI schemes that Office is allowing,
there’s a lot of, er, interesting things.

Microsoft probably want to tighten up webpages embedded as remote templates in
Office from loading so many URIs, and also Outlook probably needs another
hardening pass. All just my opinions, as always.

Obviously, they also need to tidy up MSDT itself — but it’s not the only OS
application shipping like that.


IS IT A ZERO DAY?

100%. It is in the wild attacks for well over a month, targeting known orgs in
two countries (Russia and India), without a patch.

Microsoft aren’t calling it a zero day in the MSRC post, and they haven’t put it
as a zero day in Microsoft Defender Vulnerability Management. Keep in mind they
own MSDT, Office and Defender.




Update: Microsoft are now classifying it as a zero day within Microsoft Defender
Vulnerability Management.


TIMELINE

August 1st 2020 — A bachelor thesis is published detailing how to use MSDT to
execute code:



It contains a bunch of other ways to execute code via MS Protocol in Word, using
templates, which still work now.

March 10th 2021 — researchers report to Microsoft how to use Microsoft Office
URIs to execute code using Microsoft Teams as an example. Microsoft fail to
issue a CVE or inform customers, but stealth patched it in Microsoft Teams in
August 2021. They did not patch MSDT in Windows or the vector in Microsoft
Office. (Link)

March 2022 — another blog is published highlighting using MSDT to execute code.
(Link)

April 12th 2022 — first report to Microsoft MSRC of exploitation in wild via
MSDT, by leader of Shadowchasing1, an APT hunting group. This document is an in
the wild, real world exploit targeting Russia, themed as a Russian job
interview.




April 21st 2022 — Microsoft MSRC closed the ticket saying not a security related
issue (for the record, msdt executing with macros disabled is an issue):



May ?? 2022 — Microsoft may have tried to fix this or accidentally fixed it in
Office 365 Insider channel, without documenting a CVE or writing it down
anywhere. The other Office products remain vulnerable.

May 27th 2022 — Security vendor Nao tweet a document uploaded from Belarus,
which is also an in the wild attack.

May 27th 2022 — reported back to MSRC.

May 29th 2022 — I identified this was a zero day publicly as it still works
against Office 365 Semi Annual channel, and ‘on prem’ Office versions and EDR
products are failing to detect.

May 30th 2022 — We’re trying to crowdsource how to protect against this
vulnerability/vulnerabilities.

May 30th 2022 evening — Microsoft allocate CVE-2022–30190 (no patch yet) and
publish a blog. Defender antivirus and EDR signatures go live.

May 31st 2022 — Microsoft classify this a zero day in Microsoft Defender
Vulnerability Management:



May 31st 2022 — CISA advisory released:



June 2nd 2022 — minor edit to this post.

June 7th 2022 — There is no patch. Microsoft have updated their MSRC post and
added an FAQ entry, which talks about how a Group Policy mitigation doesn’t
work. They are not talking about the Group Policy mitigation in this blog, which
works fine. It is unclear how the one in the MSRC blog is a Frequently Asked
Question, considering it isn’t listed online anywhere I can find — it is also
unclear why the Group Policy change in this blog isn’t mentioned, since it is
the easiest to implement mitigation.

June 7th 2022 — Qakbot are now exploiting Follina in Word documents, via today’s
email runs. I would strong recommend organisations implement mitigations as soon
as possible.


https://twitter.com/1ZRR4H/status/1534259727059787783/photo/2



FURTHER READING

https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug

Stay safe,

~g




309



7



309

309

7




SIGN UP FOR CYBERSECURITY THREAT CONTEXT AND RESPONSE


BY DOUBLEPULSAR

Cyber Threat Content and Response, from porgs, direct to your email box. Take a
look.

Get this newsletter


MORE FROM DOUBLEPULSAR

Follow

Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the
author alone, not their employer.

Kevin Beaumont

·May 7


BPFDOOR — AN ACTIVE CHINESE GLOBAL SURVEILLANCE TOOL

Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive
network implant for Linux they attribute to Red Menshen, a Chinese threat actor
group. You can read more in PwC’s great, yearly threat intelligence brief, here.
PwC plan to present their findings in June: BPFDoor is interesting…

Bpfdoor

3 min read





--------------------------------------------------------------------------------

Share your ideas with millions of readers.

Write on Medium

--------------------------------------------------------------------------------

Kevin Beaumont

·Aug 21, 2021


MULTIPLE THREAT ACTORS, INCLUDING A RANSOMWARE GANG, EXPLOITING EXCHANGE
PROXYSHELL VULNERABILITIES

For nearly a month, I have been watching mass in the wild exploitation of
ProxyShell, a set of vulnerabilities revealed by Orange Tsai at BlackHat. These
vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed
in March — they are more exploitable, and organisations largely haven’t patched.
This post goes…

Proxyshell

7 min read





--------------------------------------------------------------------------------

Kevin Beaumont

·Jul 20, 2021


#HIVENIGHTMARE AKA #SERIOUSSAM — ANYBODY CAN READ THE REGISTRY IN WINDOWS 10

This is the story of how all non-admin users can read the registry — and so
elevate privileges and access sensitive credential information — on various
flavours of Windows 10. It appears this vulnerability has existed for years, and
nobody noticed. …

Cybersecurity

4 min read





--------------------------------------------------------------------------------

Kevin Beaumont

·Jul 2, 2021


KASEYA SUPPLY CHAIN ATTACK DELIVERS MASS RANSOMWARE EVENT TO US COMPANIES

Kaseya VSA is a commonly used solution by MSPs — Managed Service Providers — in
the United States and United Kingdom, which helps them manage their client
systems. Kaseya’s website claims they have over 40,000 customers. Four hours
ago, an apparent auto update in the product has delivered REvil ransomware. …

Cyberattack

8 min read





--------------------------------------------------------------------------------

Kevin Beaumont

·Jun 30, 2021


ZERO DAY FOR EVERY SUPPORTED WINDOWS OS VERSION IN THE WILD — PRINTNIGHTMARE

zhiniang peng tweeted out a proof of concept exploit and explainer recently, and
then quickly deleted it. This exploit and discussion contained an unpatched zero
day in all supported and Extended Security Update verrsions of Windows OS.
Unfortunately by this had already been forked on Github by then… and…

Printnightmare

6 min read





--------------------------------------------------------------------------------

Read more from DoublePulsar


RECOMMENDED FROM MEDIUM

MemePad

UPCOMING IDO: GOTEM



Interfor Dispatch

CYBER SEXTORTION



helix id Team

in

helix id

UPDATE — HELIX ID APP



Placido Wang

WHAT IS PASSWORDLESS LOGIN?



Evan SooHoo

in

Level Up Coding

SIMULATING THE LOG4J EXPLOIT TO HACK A SERVER



EF1Finance

CHARACTERISTICS OF P2P



Silvia Masiero

in

Data & Society: Points

GOOD WELFARE, BAD PLATFORMS?



ka1d0

THREAT INTELLIGENCE — STE.EXE



AboutHelpTermsPrivacy

--------------------------------------------------------------------------------


GET THE MEDIUM APP


Get started

Sign In


KEVIN BEAUMONT


3.3K Followers


Everything here is my personal work and opinions.


Follow



MORE FROM MEDIUM

Security Lit Limited

in

InfoSec Write-ups

FIREWALL EVASION TECHNIQUES USING NMAP



Ethan Siegel

in

Starts With A Bang!

VOYAGER 1 HAS LEFT THE SOLAR SYSTEM. WILL WE EVER OVERTAKE IT?



Stefan Grimminck

BUILDING A THREAT INTELLIGENCE FEED USING THE TWITTER API AND A BIT OF CODE



Christopher P Jones

WHEN THE MONA LISA WAS STOLEN



Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Knowable

To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.