Getty Images
While hacker groups continue to work to break a former Windows zero-day that makes it exceedingly easy to run malicious code on target computers, Microsoft is keeping a low profile, refusing to even say if it has plans to patch.
At the end of last week, security company Proofpoint said that hackers with ties to well-known nation-state groups exploited the remote code execution vulnerability called Follina. Proofpoint said the attacks were delivered in malicious spam messages sent to fewer than 10 Proofpoint customers in European and local US governments.
Microsoft products are a “targeted opportunity”
In an email on Monday, the security company added even more color, writing:
- Proofpoint Threat Research has been actively monitoring the use of the Follina vulnerability and we saw another interesting case on Friday. An email with an RTF file attachment Follina used to eventually run a PowerShell script. This script checks for virtualization, steals information from local browsers, email clients and file services, performs machine recon and then zips it for exfil via BitsAdmin. While Proofpoint suspects that this campaign was run by a state-aligned actor based on both the Powershell’s extensive exploration and strict concentration of targeting, we don’t currently attribute it to a numbered TA.
- Proofpoint has observed use of this vulnerability through Microsoft applications. We continue to understand the scope of this vulnerability, but at this point it is clear that there are many opportunities to use it in the suite of Microsoft Office products and in addition in Windows applications.
- Microsoft has released “fixes”, but not a full patch. Microsoft products remain a target-rich opportunity for threat actors, and that won’t change anytime soon. We continue to release detection and protection in Proofpoint products as we learn more to help our customers secure their environments.
Security firm Kaspersky, meanwhile, has also tracked an increase in Follina exploits, with most hitting the US, followed by Brazil, Mexico and Russia.
Kaspersky
“We expect more Follina exploits to gain access to corporate resources, including for ransomware attacks and data breaches,” the Kaspersky researchers wrote.
CERT Ukraine also said it was tracking exploits on targets in that country that use email to send a file titled “changes in wages with accruals.docx” to exploit Follina.
The secret of Follina’s popularity: “low interaction RCE”
One of the reasons for the high level of interest is that Follina doesn’t require the same level of victim interaction as typical document attacks. Normally, these attacks require the target to open the document and enable the use of macros. Follina, on the other hand, does not require the target to open the document and no macro is allowed. The simple act of the document appearing in the preview window, even with Protected View enabled, is enough to execute malicious scripts.
“It’s more serious because it doesn’t matter if macros are disabled and it can be easily called via preview,” Jake Williams, director of cyberthreat intelligence at security firm Scythe, wrote in a text chat. “It’s not a zero-click like a ‘just deliver causes the exploit’, but the user doesn’t have to open the document.”
Researchers who developed an exploit module for the Metasploit hacking framework called this behavior low-interaction remote code execution. “I was able to test this with both .docx and rtf formats,” wrote one of them. “I was able to execute with the RTF file by previewing the document in Explorer.”
A failed response
The enthusiasm that threat actors and defenders have shown for Follina is in stark contrast to Microsoft’s low profile. Microsoft has been slow to respond to the vulnerability from the start. An academic paper published in 2020 showed how you can use the Microsoft Support Diagnostic Tool (MSDT) to force a computer to download and run a malicious script.
Then, in April, Shadow Chaser Group investigators said On Twitter that they reported to Microsoft that an ongoing malicious spam run was doing just that. Although the researchers used the file used in the campaign, Microsoft rejected the report on the flawed logic that the MSDT needed a password to execute payloads.
Finally, last Tuesday, Microsoft declared the behavior as a vulnerability and issued the tracker CVE-2022-30190 and a priority rating of 7.8 out of 10. The company did not patch and instead issued instructions to disable MSDT.
Microsoft has said very little since then. The company will not say what the plans are on Monday.
“Smaller security teams largely view Microsoft’s casual approach as a sign that this is ‘just another vulnerability,’ which it most certainly isn’t,” Williams said. “It’s not clear why Microsoft continues to downplay this vulnerability that is actively being exploited in the wild. It certainly doesn’t help security teams.”
Without Microsoft providing proactive warnings, organizations need to rely only on themselves to advise on the risks and how exposed they are to this vulnerability. And given the low bar for successful exploits, now would be a great time to make that happen.
