Background

The newest Microsoft Office zero-day vulnerability, Follina, has been causing a buzz around much of the security community. The largest differences between it and most other Office vulnerabilities are that it has found a way around the use of macros and that it does not have any planned patches in the pipeline.

Rather than tiptoeing around a commonly used and patched vector for Office malware like macros, the vulnerability uses the Microsoft Support Diagnostic Tool (MSDT). A call out from the Word application triggers MSDT to run, and in this case, creates an easy avenue for arbitrary code execution. The vulnerability also appears to be exploitable via .RTF and .DOCX files on all versions of Office365 as of the time of this writing. An exploit with the extension changed to .RTF can sometimes even run without the document being opened.

The confirmed active campaigns using this vulnerability are now widespread and several proof of concept (PoC)s have already been published. Since the publication of the vulnerability, threat actors like Chinese actor TA413 have begun taking advantage of its ease of use, and other possible state-backed attackers have been seen. Activity using this vulnerability has been seen going back into April.

Impact

As with all arbitrary code execution vulnerabilities, this is a very serious threat to those with MSDT enabled on their environment. Arbitrary execution allows an attacker to upload and execute their own code, enabling them to make changes outside of allocated permissions, exfiltrate documents, spy on operations, and pivot to other machines within the network.

Especially with an application so heavily used as Microsoft Word, this is an important vulnerability to keep an eye on and properly mitigate. Unchecked, a zero-day vulnerability like this can wreak havoc on an entire network in a very short amount of time.

Monitoring and Detection

Automating detection for this vulnerability is thankfully quite straightforward based on how it executes. The primary method for finding this activity in monitoring is searching specifically for WINWORD.exe, EXCEL.exe, or OUTLOOK.exe opening MSDT.exe with an emphasis on file browsing activity. Another effective method was searching through conhost.exe and sdiagnhost.exe logs for unusual new processes (like conhost launching cmd or sdiagnhost launching conhost, both of which are indicators of compromise).

If executions have already been performed, traffic monitoring from any of the three applications listed above that does not go to either ‘visualstudio.com’ or ‘microsoft.com’ or their subdomains should be investigated thoroughly.

Remediation

Extensive endpoint monitoring is a must for this specific vulnerability, which can make dealing with it difficult. Enterprises should ensure that, if this vulnerability is a significant concern to them, they pull Windows process creation event logs (code 4688) from each endpoint, though this may be difficult for some organizations to do if limited on resources.

There are some current options for remediation that can prevent the worst of the problem. Microsoft suggests that the MSDT URL protocol be manually disabled via registry key changes, and that Defender be turned on. Defender can alert on any unusual uses of MSDT.

Microsoft also recommends that Protected View and Application Guard be turned on for Microsoft Office, which will assist with macro use, as well.

eBook: The Definitive Guide to AI and Automation Powered Detection and Response
Why Your Next SOC Assistants Are Bots (and Your Networks Will Be More Secure Than Ever)

Relevant Sources and Further Readings

Huntress Overview

Kevin Beaumont’s Response

Microsoft Security Response Center Bulletin

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.

Blog

Related Posts

June 22, 2022 Willy Leichter

Replace Your SIEM with Neural Net Technology

Security Information Event Management (SIEM) systems are an outdated technology. It’s no longer...

Learn More

June 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: June 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

June 14, 2022 Tessa Mishoe

Follina Zero-Day Vulnerability Breakdown: Analysis and Remediation

Background The newest Microsoft Office zero-day vulnerability, Follina, has been causing a buzz...

Learn More

June 8, 2022 Ryan Thomas

Five Reasons for Alert Fatigue and How to Make It Stop

Alert (or alarm) fatigue is the phenomenon of becoming desensitized (and thus ignoring or failing...

Learn More

May 31, 2022 Kumar Saurabh

The 3 Biggest Challenges Faced by Today's SOCs & One Smart Solution

As a security operations professional, you've put in your fair share of late nights. You know what...

Learn More

May 24, 2022 Ryan Thomas

LogicHub MDR - Jump Start for AWS Applications

Funny thing about cloud infrastructure - it is well documented that running applications in the...

Learn More

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More