Background

The newest Microsoft Office zero-day vulnerability, Follina, has been causing a buzz around much of the security community. The largest differences between it and most other Office vulnerabilities are that it has found a way around the use of macros and that it does not have any planned patches in the pipeline.

Rather than tiptoeing around a commonly used and patched vector for Office malware like macros, the vulnerability uses the Microsoft Support Diagnostic Tool (MSDT). A call out from the Word application triggers MSDT to run, and in this case, creates an easy avenue for arbitrary code execution. The vulnerability also appears to be exploitable via .RTF and .DOCX files on all versions of Office365 as of the time of this writing. An exploit with the extension changed to .RTF can sometimes even run without the document being opened.

The confirmed active campaigns using this vulnerability are now widespread and several proof of concept (PoC)s have already been published. Since the publication of the vulnerability, threat actors like Chinese actor TA413 have begun taking advantage of its ease of use, and other possible state-backed attackers have been seen. Activity using this vulnerability has been seen going back into April.

Impact

As with all arbitrary code execution vulnerabilities, this is a very serious threat to those with MSDT enabled on their environment. Arbitrary execution allows an attacker to upload and execute their own code, enabling them to make changes outside of allocated permissions, exfiltrate documents, spy on operations, and pivot to other machines within the network.

Especially with an application so heavily used as Microsoft Word, this is an important vulnerability to keep an eye on and properly mitigate. Unchecked, a zero-day vulnerability like this can wreak havoc on an entire network in a very short amount of time.

Monitoring and Detection

Automating detection for this vulnerability is thankfully quite straightforward based on how it executes. The primary method for finding this activity in monitoring is searching specifically for WINWORD.exe, EXCEL.exe, or OUTLOOK.exe opening MSDT.exe with an emphasis on file browsing activity. Another effective method was searching through conhost.exe and sdiagnhost.exe logs for unusual new processes (like conhost launching cmd or sdiagnhost launching conhost, both of which are indicators of compromise).

If executions have already been performed, traffic monitoring from any of the three applications listed above that does not go to either ‘visualstudio.com’ or ‘microsoft.com’ or their subdomains should be investigated thoroughly.

Remediation

Extensive endpoint monitoring is a must for this specific vulnerability, which can make dealing with it difficult. Enterprises should ensure that, if this vulnerability is a significant concern to them, they pull Windows process creation event logs (code 4688) from each endpoint, though this may be difficult for some organizations to do if limited on resources.

There are some current options for remediation that can prevent the worst of the problem. Microsoft suggests that the MSDT URL protocol be manually disabled via registry key changes, and that Defender be turned on. Defender can alert on any unusual uses of MSDT.

Microsoft also recommends that Protected View and Application Guard be turned on for Microsoft Office, which will assist with macro use, as well.

eBook: The Definitive Guide to AI and Automation Powered Detection and Response
Why Your Next SOC Assistants Are Bots (and Your Networks Will Be More Secure Than Ever)

Relevant Sources and Further Readings

Huntress Overview

Kevin Beaumont’s Response

Microsoft Security Response Center Bulletin

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challenges, to large teams automating SOCs, LogicHub makes advanced detection and response easy and effective for everyone.

Blog

Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More