0-Day Vulnerability Dubbed Follina

The charming cloister we can admire on the cover of this post is found in the Abbazia Cistercense Santa Maria di Follina. Follina is a municipality in the Province of Treviso in northern Italy. But it is also the name recently bestowed to a remote code execution vulnerability in the Microsoft Windows Diagnostic Tool (MSDT). Cybercriminals are exploiting this zero-day in the wild, and Microsoft has not yet officially released a patch remediating it. What exactly is Follina, and what can we do about it in the meantime to stay safe?

On May 27 this year, the Japanese cybersecurity research team nao_sec detected a strange Word document in VirusTotal uploaded two days before from an IP address in Belarus. This maldoc contained malicious code to leverage "the Word remote template feature to retrieve [an] HTML file from a remote [web server], which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute PowerShell." These are the words of cybersecurity expert Kevin Beaumont, whose attention was drawn to the finding and who decided to investigate it. In fact, it was he who, recognizing that it was a zero-day vulnerability in the MSDT, named it Follina. Why? Because one of the names of the referenced maldoc was "05-2022-0438." And 0438 is the area code for Follina in Italy. Plain and simple.

Let's drill down on the issue a bit further. MSDT, the affected tool, is an application that automatically collects information on systems and sends it to Microsoft Support for analysis and determination of solutions when something appears to be failing in Windows. Microsoft Word is among the applications that can call up MSDT through the ms-msdt:/ protocol URI scheme to launch its troubleshooter packs. URI (Uniform Resource Identifier) is a unique sequence of characters to identify a resource in web technologies. A URL (Uniform Resource Locator), for instance, is a URI that provides the location of a resource for its retrieval. URI schemes can be manifold. Among them, we have http://, https://, mailto: and file://. The one that matters to us on this occasion is ms-msdt:/.

For the exploitation of Follina, the victim receives the Word document created by the attacker in an email based on a social engineering ploy to persuade them to open it. They do so. And though it may be a blank file, it "contains an external reference pointing to a malicious URL." (It's a problem that Office allows unfiltered loading from Word HTML templates and Outlook links.) From there, a payload with the ms-msdt:/ protocol is obtained, and Microsoft Office automatically processes it but, in the case reported by Beaumont, leads to the execution of PowerShell. The attacker can then execute arbitrary code via PowerShell. (Here's a brief illustrative video where a researcher shows a test of a "maldoc" that, when opened, leads to the execution of the Windows calculator.)

Beaumont found that this could even happen when macros are disabled. It was enough for the attacker to convert the document to Rich Text Format (RTF). Thus, even with the Office Protected View enabled (which does not allow macros to be run on docs from the Internet), code execution occurred with the victim only previewing the document, i.e., without opening it.

According to Journalist Jonathan Creig, this security issue was actually discovered almost two years ago in a bachelor's thesis in Germany. Researcher @BaoshengbinCumt, meanwhile, said that exploitation tests began in October 2021 and the first attack took place in March this year. However, this vulnerability had to wait until April to be reported to Microsoft. It seems it was @CrazymanArmy, leader of the Shadow Chaser Group, who did it more than a month before nao_sec's discovery, delivering to Microsoft a maldoc that was being sent to Russian users. It was disturbing then that the company responded to deny that it was a security issue. Apparently, they failed to replicate the exploit, arguing that a passcode is required when starting msdt.exe. Nevertheless, when the predicament resurfaced at the end of May, Microsoft officially spoke out. They assigned Follina the identifier CVE-2022-30190 and published a guidance blog post in which they initially said the following:

Therefore, in the case mentioned above, the privileges of the victim who received the Word file were the same as those available to the attacker remotely. Beaumont and other security researchers proved Follina in Office 2013, 2016, 2019, 2021, ProPlus and 365. There's no question we are dealing with a very dangerous vulnerability, with a high severity level (apparently a CVSS score of 7.8) and broad implications due to the massive use of Microsoft Office worldwide.

Once a vulnerability is no longer a closed book, the number of attacks begins to grow dramatically. On May 31, there was already news of several state-backed threat actors exploiting it. The security firm Proofpoint, for example, reported attacks by a China-linked hacking group against the Tibetan community. These cybercriminals used URLs to deliver ZIP archives containing maldocs in which they posed as the Women's Empowerment Desk of the Central Tibetan Administration. A few days later, Proofpoint said it had blocked a phishing campaign targeting some of its customers: government entities in Europe and the U.S. The lure document to exploit Follina intended to deceive the targets by talking about salary increases.

On June 7, Proofpoint revealed having seen the threat actor they refer to as TA570 exploiting Follina to deliver the QBot (aka Qakbot) trojan. Attackers send messages with HTML attachments that, when opened, download a ZIP file containing an IMG file. This one, in turn, includes Word, DLL and LNK files. The LNK executes the DLL to start Qbot. The Word loads and executes from an external server an HTML file containing PowerShell to abuse Follina and thus download and run Qbot. This trojan has been widely used to steal banking information and is tied to several ransomware variants (e.g., ProLock, Egregor, Conti, and Black Basta). The situation with Follina worsens with ransomware groups now wanting to cash in on it.

So far, Microsoft has not released a patch for Follina. It is expected to arrive soon. What has been recommended up until now are merely temporary workarounds. In their guidance, as a preventive measure, Microsoft suggests disabling the MSDT URL protocol. Their instructions are as follows:

That second step is essential so that you can restore the registry key with the reg importfilename command as soon as this workaround is no longer needed. Of course, when the patch is released, install it as soon as possible. Microsoft also recommended its customers with Microsoft Defender Antivirus turn on "cloud-delivered protection and automatic sample submission" to identify and stop threats. In addition, you should be careful with emails sent by unknown senders. Be very wary of those with Microsoft Office files attached. If you open them or even see them in preview mode, you may find yourself in dire straits.

It's worth mentioning that free "micropatches" for Follina were published unofficially by the 0patch team for different versions of Windows and Windows Server. Afterward, they released micropatches for another vulnerability dubbed DogWalk. But why on earth is this relevant? DogWalk is another zero-day in MSDT. A security issue that, like Follina, was discovered in 2020, was not seen by Microsoft then as a bug and is now also being dusted off.

Update (June 14): Microsoft has officially released the patch for Follina. They say the following: