www.fortinet.com Open in urlscan Pro
3.123.216.247  Public Scan

URL: https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day
Submission: On June 08 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

GET /blog/search

<form class="b3-searchbox__form" action="/blog/search" method="get">
  <input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
  <button class="b3-searchbox__icon" aria-label="Search" type="submit">
    <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
      <path
        d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
        fill="#fff">
      </path>
    </svg>
  </button>
</form>

Text Content

Blog
 * Categories
   * Business & Technology
   * Threat Research
   * Industry Trends
   * Partners
   * Customer Stories
   * PSIRT Blogs
 * Business & Technology
 * Threat Research
 * Industry Trends
 * Partners
 * Customer Stories
 * PSIRT Blogs
 * CISO Collective
 * Subscribe





Threat Research


CVE-2022-30190: MICROSOFT SUPPORT DIAGNOSTIC TOOL (MSDT) RCE VULNERABILITY
“FOLLINA”

By Shunichi Imano, James Slaughter, Fred Gutierrez, and team | June 01, 2022

At the end of last week, @nao_sec, an independent cyber security research team,
tweeted about a malicious Microsoft Word document submitted from Belarus that
leverages remote templates to execute a PowerShell payload using the "ms-msdt"
MSProtocol URI scheme. Additional developments over the weekend identified the
issue as a new unpatched vulnerability in Windows. A successful attack results
in a remote, unauthenticated attacker taking control of an affected system. A
publicly available Proof-of-Concept soon followed.

This issue is referred to as “Follina’ and has a CVE assignment of
CVE-2022-30190.

The name of the vulnerability is credited to security researcher Kevin Beaumont.
"Follina" was derived from his analysis of the 0-day that contained code
referencing "0438", which is the area code of Follina, Italy. Most of the time,
it’s a bad sign when a vulnerability is crowned with a unique name (having a
mind-shaking logo is usually the last dagger – such as Heartbleed, Shellshock,
and EternalBlue, but thankfully, this issue is not in the same league as those.

As FortiGuard Labs is on high watch for updates and developments for
CVE-2022-30190, this blog intends to raise awareness of this critical
vulnerability and to urge administrators and various organizations to take quick
corrective action until Microsoft releases a patch.


Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Full Control of Affected Machine
Severity level: Critical



IMPACT ASSESSMENT

The first question you probably would ask is how bad this vulnerability is.
CVE-2022-30190 is rated as CVSS 7.8 (Critical), and there are a number of
reasons for it.

This vulnerability is in the Microsoft Support Diagnostic Tool (MSDT), a tool
from Microsoft that collects and sends system information back to Microsoft
Support for problem diagnostics, such as issues with device drivers, hardware,
etc. This tool is in all versions of Windows, including Windows Server OS.
Because of the lack of an available patch from Microsoft (as of June 1st, 2022),
machines that are not protected by endpoint software or a mitigation strategy
are vulnerable to Follina.

As proof-of-concept code is publicly available, this code can be freely used by
security researchers, administrators, and threat actors alike. As such, attacks
that leverage CVE-2022-30190 are expected to increase over the next few days and
weeks.

Protected View, a feature in Microsoft Office that opens Office documents in
read-only mode with macros and other content disabled, can prevent this attack.
However, reports from researchers have revealed that if a document is converted
to Rich Text Format (RTF) format, simply previewing the document in Windows
Explorer can trigger the exploit, bypassing Protected View. At the time of
writing, Microsoft’s latest advisory has not confirmed this nor whether this is
another exploitation vector.

On a side note, despite using “remote” in the vulnerability name, the attack
happens locally, and user interaction is required for the attack to work.
Microsoft’s advisory calls out this point: “The word Remote in the title refers
to the location of the attacker. This type of exploit is sometimes referred to
as Arbitrary Code Execution (ACE). The attack itself is carried out locally.”

Additionally, the vulnerability has already experienced in-the-wild attacks. As
shown in the timeline at the end of this blog (see Timeline), a series of
initial attacks were reportedly observed in March 2022, targeting the
Philippines, Nepal, and India. Additional files were submitted to VirusTotal
from Russia and Belarus. Those attacks were most likely targeted attacks as the
domains involved reveal little activity in our telemetry.

Due to the severity of the vulnerability, the United States Cybersecurity &
Infrastructure Security Agency (CISA) issued an advisory on May 31st, urging
users and administrators to apply necessary workarounds as soon as possible.


EXPLOIT

The vulnerability that exists within msdt.exe is the Microsoft Support
Diagnostic Tool. Normally, this tool is used to diagnose faults with the
operating system and then report and provide system details back to Microsoft
Support.

Figure 1. The Microsoft Support Diagnostic Tool as is meant to be seen.

The vulnerability allows a malicious actor to effectively execute arbitrary code
with the same privileges as the application calling it. As has been the case
with the original reporting of this from @nao_sec and subsequent experimentation
in the wider security community, the calling application is quite often a tool
in Microsoft Office (Word, Excel, Outlook, etc.).

The original document and subsequent HTML file can be found here and here.


Figure 2. Original OLE object showing the download location of the subsequent
HTML file.

As shown in Figure 2, the document found by @nao_sec used an embedded OLE Object
inside a Word document that was modified to call an external website to download
an HTML document. This document then invoked msdt.exe, followed by several
PowerShell commands.

Figure 3. HTML file invoking MSDT.

Figure 3 shows the original HTML payload, which required several lines with the
letter 'A' (61) to be commented out of the script in order to execute. MSDT was
then invoked using character and Base64 encoding to obfuscate the actual
command.

Figure 4. Decoded command.

Many further examples have been uploaded to VirusTotal that invoke Calc and
other benign Windows tools as a method to test the vulnerability without causing
damage.


ACTIVE EXPLOITATION

The TA413 APT group, a hacking outfit linked to Chinese state interests, has
adopted this vulnerability in attacks against the international Tibetan
community. As observed on May 30 by security researchers, threat actors are now
using CVE-2022-30190 exploits to execute malicious code via the MSDT protocol
when targets open or preview Word documents delivered in ZIP archives. Campaigns
have impersonated the 'Women Empowerments Desk' of the Central Tibetan
Administration and use the domain tibet-gov.web[.]app.

The security researchers also spotted DOCX documents with Chinese filenames
being used to install malicious payloads detected as password-stealing Trojans
via "hxxp://coolrat[.]xyz".

At the time of writing, researchers have discovered limited exploitation of the
vulnerability in the wild. One instance of active exploitation of 'Follina' was
conducted by Chinese APT actor 'TA413'.


ATTACK VECTOR

At the time of this writing, all known attacks used Microsoft Word document
files that were most likely delivered via email. Theoretically, any applications
that allow an OLE object to be embedded would be a viable execution mechanism.


IN THE WILD ATTACK

One of the real-world attacks that leverage CVE-2022-30190 is a Microsoft Word
file submitted to VirusTotal from Saudi Arabia on June 1st (SHA2:
248296cf75065c7db51a793816d388ad589127c40fddef276e622a160727ca29), which
MalwareHunterTeam posted in a tweet:

Figure 5. Malicious Word file that was used in an attack leveraging
CVE-2022-30190.

The doc file retrieves an HTML file from 212[.]138[.]130[.]8/analysis.html,
which abuses MSDT to fetch the next stage payload “svchost.exe” from a remote
location and then execute it.

Figure 6. Contents of retrieved analysis.html


PAYLOAD ANALYSIS

The Saudi Arabian DOCX document eventually leads to the download and execution
of an executable. This executable (SHA256:
4DDA59B51D51F18C9071EB07A730AC4548E36E0D14DBF00E886FC155E705EEEF) is a variant
of Turian, which was analyzed by ESET
(https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/) 
almost a year ago. This current variant uses the same one-byte XOR key (0xA9) as
the previously analyzed Turian sample. 

Figure 7. XOR key 0xA9 used for decryption

This sample also has the functionality to try and determine what role the
infected computer plays in the domain.

Figure 8. Functionality to determine domain role

Similar to the old Turian sample, this variant uses the same headers to connect
to the C2 server.

Figure 9. Connection headers

This sample creates “tmp.bat”, which is used to set RUN keys in the registry for
persistence purposes.

Figure 10. Content of the”tmp.bat” file

Note the mixed usage of upper and lowercase letters, which is the same as the
old Turian sample.

This latest variant uses www[.]osendata[.] com as its C2 server.

Another Turian sample similar to this latest variant has a SHA256 hash of 
34DC42F3F486EC282C5E3A16D81A377C2F642D87994AE103742DF5ED5804D0F7 and a C2 server
of www[.]tripinindian[.]com.


MITIGATION

Microsoft has provided the following mitigation steps in a blog posted on May
30th, 2022.

CISA also urged admins and users to disable the MSDT protocol on their Windows
devices after Microsoft reported active exploitation of this vulnerability in
the wild.


DISABLING THE MSDT URL PROTOCOL:

Disabling the MSDT URL protocol prevents troubleshooters from being launched as
links, including links throughout the operating system. Troubleshooters can
still be accessed using the Get Help application and in System Settings as other
or additional troubleshooters. Follow these steps to disable:

 1. Run Command Prompt as Administrator.
 2. To back up the registry key, execute the command “reg export
    HKEY_CLASSES_ROOT\ms-msdt filename“
 3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

Figure 11. ms-msdt in Registry Editor

How to undo the workaround

 1. Run Command Prompt as Administrator.
 2. To restore the registry key, execute the command “reg import filename”


TIMELINE

Timeline of CVE-2022-30190 based on information gathered by FortiGuard Labs:
(updated June 2)

Year

Month/Date 

Event

2022

April 12th

crazyman_army with an APT hunting team “Shadow Chaser Group,” reported the
vulnerability to Microsoft. The report was based on a Word document file that
appears to have been used in a real attack targeting Russia.

April 21st

Microsoft determined that it was not a security-related issue.

May 27th

nao_sec, an independent cyber security research team, tweeted about a malicious
Microsoft Word document file submitted from Belarus that leverages remote
templates to execute the PowerShell payload using the "ms-msdt" MSProtocol URI
scheme.

May 30th

 * Kevin Beaumont, a security researcher known as GossiTheDog, posted a blog
   citing that this is an unpatched vulnerability.
 * Microsoft released an advisory and mitigation guidance.
 * CVE-2022-30190 was assigned to the vulnerability.


CONCLUSION

CVE-2022-30190 has the potential to have significant impact due to its ease of
exploitation and ability to bypass Protected View, along with the availability
of new PoC code and the lack of a security fix. Administrators and users should
monitor updates from Microsoft and apply the patch as soon as it becomes
available. Until then, mitigation should be applied as soon as possible.


FORTINET PROTECTION

The FortiGuard Antivirus service detects and blocks files associated with
CVE-2022-30190 with the following signatures:

HTML/CVE_2022_30190.A!tr

MSWord/Agent.2E52!tr.dldr

MSWord/CVE20170199.A!exploit

Riskware/RemoteShell.

Regarding IPS coverage, the following signature will detect the retrieval of
remote HTML files that contain the MSDT command:

MS.Office.MSHTML.Remote.Code.Execution.

The FortiGuard Content Disarm and Reconstruction (CDR) service can detect the
attack in real-time and prevent it by disarming the "oleobject" data from
Microsoft Office files.

All relevant URLs have been rated as "Malicious Websites" by the FortiGuard Web
Filtering service.

For a comprehensive list of Fortinet technologies that prevent exploitation of
CVE-2022-30190, please refer to our Outbreak Alert Service page, “MSDT Follina.”

As these attacks require user interaction, it is also suggested that
organizations regularly schedule user awareness and training simulations on how
to spot a social engineering attack. Fortinet has multiple solutions designed to
train users on how to understand and detect phishing threats:

FortiEDR detects post-exploitation behavior associated with the CVE-2022-30190
vulnerability. A KB article detailing how FortiEDR can mitigate this issue can
be found here.

We suggest that organizations have their end users go through our FREE NSE
training: NSE 1 – Information Security Awareness. It includes a module on
Internet threats to train end-users on how to identify and protect themselves
from phishing attacks.

In addition, the FortiPhish Phishing Simulation Service uses real-world
simulations to help organizations test user awareness and vigilance to phishing
threats and train and reinforce proper practices when users encounter targeted
phishing attacks.


IOCS


FILES:

710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfa

fe300467c2714f4962d814a34f8ee631a51e8255b9c07106d44c6a1f1eda7a45

3db60df73a92b8b15d7885bdcc1cbcf9c740ce29c654375a5c1ce8c2b31488a1

4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

d118f2c99400e773b8cfd3e08a5bcf6ecaa6a644cb58ef8fd5b8aa6c29af4cf1

764a57c926711e448e68917e7db5caba988d3cdbc656b00cd3a6e88922c63837

8e986c906d0c6213f80d0224833913fa14bc4c15c047766a62f6329bfc0639bd

e8f0a2f79a91587f1d961d6668792e74985624d652c7b47cc87367cb1b451adf

4369f3c729d9bacffab6ec9a8f0e582b4e12b32ed020b5fe0f4c8c0c620931dc

1f245b9d3247d686937f26f7c0ae36d3c853bda97abd8b95dc0dfd4568ee470b

bf10a54348c2d448afa5d0ba5add70aaccd99506dfcf9d6cf185c0b77c14ace5

c0c5bf6fe1d3b23fc89e0f8b352bd687789b5083ca6d8ec9acce9a9e2942be1f

248296cf75065c7db51a793816d388ad589127c40fddef276e622a160727ca29

d61d70a4d4c417560652542e54486beb37edce014e34a94b8fd0020796ff1ef7

4f11f567634b81171a871c804b35c672646a0839485eca0785db71647a1807df


URL(S):

sputnikradio[.]net
xmlformats[.]com
exchange[.]oufca[.]com[.]au
141[.]98[.]215[.]99
tibet-gov[.]web[.]app


Learn more about Fortinet’s FortiGuard Labs threat research and intelligence
organization and the FortiGuard Security Subscriptions and Services portfolio.


Tags:

microsoft, threat research, FortiGuards Labs, cve


RELATED POSTS

Threat Research

UNPACKING PYTHON EXECUTABLES ON WINDOWS AND LINUX



Threat Research

ANALYSIS OF MICROSOFT CVE-2022-21907



Threat Research

MS OFFICE FILES INVOLVED AGAIN IN RECENT EMOTET TROJAN CAMPAIGN – PART I


 * 
 * 
 * 
 * 
 * 
 * 

NEWS & ARTICLES

 * News Releases
 * News Articles
 * Trademarks

SECURITY RESEARCH

 * Threat Research
 * FortiGuard Labs
 * Threat Map
 * Threat Briefs
 * Ransomware

CONNECT WITH US

 * Blog
 * Fuse Community

COMPANY

 * About Us
 * Why Fortinet
 * Security Fabric
 * Exec Mgmt
 * Careers
 * Certifications
 * Events
 * Industry Awards
 * Sitemap
 * Blog Sitemap

CONTACT US

 * (866) 868-3678

Copyright © 2022 Fortinet, Inc. All Rights Reserved

Terms of Services Privacy Policy | Cookie Settings
Also of Interest
 * The Benefits of a Cloud-Native SaaS WAF Solution
 * Business & Technology
 * Client vs. Clientless Zero Trust Network Access


COOKIE PREFERENCE CENTER




 * YOUR PRIVACY


 * STRICTLY NECESSARY COOKIES


 * PERFORMANCE COOKIES


 * FUNCTIONAL COOKIES


 * TARGETING COOKIES


YOUR PRIVACY

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking certain cookies in the Functional category may impact your
experience of the site and the services we are able to offer. privacy policy


STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.

Cookies Details‎


PERFORMANCE COOKIES

Performance Cookies


These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.

Cookies Details‎


FUNCTIONAL COOKIES

Functional Cookies


These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.

Cookies Details‎


TARGETING COOKIES

Targeting Cookies


These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They are based on uniquely identifying your
browser and internet device. If you do not allow these cookies, you will
experience less targeted advertising.

Cookies Details‎


BACK BUTTON BACK

Vendor Search
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label


 * 33ACROSS
   
   33ACROSS
   
   View Third Party Cookies
    * Name
      cookie name


Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All



COOKIE SETTINGS

By clicking “Accept All”, you agree to use of cookies on your device to enhance
site functionality, analyze site usage, and assist in our marketing efforts. The
Cookies Settings link has cookie-specific detail and preference options. privacy
policy

Reject All Accept All
Cookies Settings