A new vulnerability in the Microsoft Office universe has been recently discovered. Dirk Schrader, Resident CISO (EMEA) and VP of Security Research at Netwrix, provides details below about how the Microsoft Support Diagnostic Tool (MSDT) can be turned against organisations and what to do to prevent your company being victimised:
What is going on?
“The freshly discovered CVE-2022-30190 vulnerability in MS Office provides attackers with a new way of hijacking organisations’ IT environments through endpoints. This exploit is likely to work on most Windows / MS Office installations.
“The attacker crafts a MS Word document that contains the malware code, sends it to someone’s business email address, and uses common social engineering techniques to lure the recipient into opening it. Remember, the Log4Shell vulnerability discovered in December 2021, where the issue was about an uncontrolled way of executing a function in a function combined with the ability to call for external resources. This 0-day, initially named ‘Follina’, works in a similar way.
“Microsoft Word has a feature called ‘remote template’ which is misused to get a HTML file from a distant location. Once received, this HTML file uses a functionality in MSDT to execute an embedded payload, using Powershell script or other tools available on the target.
“Windows built-in security tools are likely not to catch this activity and standard hardening benchmarks don’t cover it. Built-in defensive mechanisms like Defender or common restrictions for the use of macros will not block this attack as well.
“The exploit seems to be out in the wild for about a month now, with various modifications as to what should be executed on the targeted system.”
What is affected?
“Microsoft lists 41 different product versions, from Windows 7 to Windows 11 and from Server 2008 to Server 2022. Known and proven as affected are Office, Office 2016, Office 2021 and Office 2022, regardless of the version of Windows they are running on. Patches have been issued during the last 24 hours.”
What to do to ensure security?
“Initial findings indicated that deleting a certain registry key will stop this exploit from working, but benchmarks like those from CIS and DIA STIG seem to not cover the needed setting as part of the hardening process.
“To detect suspicious activity related to this 0-day, IT teams need to closely monitor changes within their organisations’ systems, especially in system folders, and timely spot unwanted processes or services started.
“Another measure that can help prevent the attack via this vulnerability is establishing a set of Windows group policies that will lock down your system so that the exploit is prevented from executing its function process.”
What is next?
“Within the coming weeks, attackers will likely check for ways to weaponise the vulnerability. This 0-day in a spear phishing campaign could be combined with the recent attack vectors, like the one discovered in Japan, and with privilege escalation techniques to elevate from the current user’s context. Keeping in mind the possibility of this ‘combined’ tactic, IT professionals should make sure that systems are closely monitored to detect breach activity.
“On top of that, the similarities with Log4shell, which made headlines in December 2021, are striking. This vulnerability is about using an application’s ability to remotely call for a resource using the URI scheme, and not having safeguards in place. We can expect APT groups and cyber crooks to specifically look for more of these as they seem to offer an easy way in.”