Microsoft releases guidance for Office zero-day used to target orgs in Russia, India, Tibet

Microsoft published guidance Monday addressing a zero-day vulnerability affecting Microsoft Word documents that cybersecurity researchers say is already being used in attacks.

A patch has not been published yet, but the tech giant said in an announcement that the remote code execution vulnerability allows attackers to “install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

The vulnerability — CVE-2022-30190 — is in the Microsoft Support Diagnostic Tool (MSDT) in Windows and is already being exploited by several state-backed threat actors, according to reports from multiple security companies. 

In a statement to The Record, Microsoft would not say when a patch will be released but pointed to the documents they published on Monday about ways the issue can be mitigated.

The issue was first discovered in a bachelor’s thesis from August 2020 but was reported to Microsoft on April 21. Microsoft initially claimed it “wasn’t a security issue” after being sent a document targeting Russian users by the head of advanced persistent threat (APT) hunting organization Shadow Chaser Group.

It says pic.twitter.com/Z2AN7nq6hr

— crazyman_army (@CrazymanArmy) May 30, 2022

The issue resurfaced on May 27 when a Twitter user, Nao, shared evidence of a malicious document targeting people in Belarus. By May 30, Microsoft assigned the issue a CVE and released guidance on ways to potentially mitigate the problem.

Cybersecurity firm Proofpoint said on Monday that a Chinese state-sponsored hacking group has been seen exploiting the zero-day in attacks on organizations associated with the Tibetan Government in Exile. The campaigns impersonate the "Women Empowerments Desk" of the Central Tibetan Administration, the firm said.

Bugcrowd CTO Casey Ellis said the bug appears to be trivially exploitable and "very powerful/flexible in the security context of the logged in user given it's ability to bypass Windows Defender."

"It's also particularly dangerous in that Microsoft Macro's are the typically focus for code execution payloads via Microsoft Office products, so user awareness training on 'Not Enabling Macros' doesn't mitigate the risk," Ellis said.

The issue was highlighted by cybersecurity expert Kevin Beaumont, who said he initially named the bug Follina because the spotted sample on the file references 0438, the area code of Follina, Italy.

“It’s a zero day allowing code execution in Office products. Historically, when there’s easy ways to execute code directly from Office, people use it to do bad things. This breaks the boundary of having macros disabled. Vendor detection is poor,” Beaumont explained in a blog post. 

He and several other security researchers tested the issue and found it affects Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365. 

Beaumont noted that while it also applies to Windows itself, the bug didnt work with the Insider and Current versions of Office. He suggested that this means Microsoft has “either tried to harden something, or tried to fix this vulnerability without documenting it. This appears to have happened around May 2022.”

But he later confirmed that through .RTF files, all versions of Office 365 are vulnerable. 

Researchers published suggestions for security teams of things they can do to limit exposure, including removing the ms-msdt URI schema registry key, according to security expert Will Dormann.

While there very may well be other dangerous protocols besides ms-msdt:, it's probably a good idea to unregister this protocol. Especially while this vulnerability is still unpatched!
I've never seen its use in the real world until today.https://t.co/UHAqntUWYR

— Will Dormann (@wdormann) May 30, 2022

Cybersecurity firm Huntress noted that the vulnerability would allow attackers to install malware and explained that the exploit “can be triggered with a hover-preview of a downloaded file that does not require any clicks (post download).”

“This is a 0-day attack that sprung up out of nowhere, and there’s currently no patch available. The mitigations that are available are messy workarounds that the industry hasn’t had time to study the impact of,” Huntress said. 

“They involve changing settings in the Windows Registry, which is serious business because an incorrect Registry entry could brick your machine. Detonating this malicious code is as simple as opening up a Word doc – in preview mode.”

Netenrich principal threat hunter John Bambenek told The Record it is concerning that endpoint tools were apparently not detecting this or generating good telemetry to detect it.

Our threat intel analyst @h2jazi had spotted a sample using the msdt.exe RCE back in April.

At the time, the remote template was already down and therefore full identification was not possible. https://t.co/03UU2ClMhv

— Malwarebytes Threat Intelligence (@MBThreatIntel) May 30, 2022

Vulcan Cyber’s Mike Parkin noted that the vulnerability is yet another example of how Macros – a series of commands used to automate a repeated task – made Office more flexible but also gave threat actors a way to exploit office documents.

“This ‘Follina’ vulnerability is another example of office flexibility being used in unintended ways,” Parkin said.