As hacker groups continue to hammer a former Windows zero-day that makes it unusually easy to execute malicious code on target computers, Microsoft is keeping a low profile, refusing even to say if it has plans to patch.
Late last week, security firm Proofpoint said that hackers with ties to known nation-state groups were exploiting the remote code execution vulnerability, dubbed Follina. Proofpoint said the attacks were delivered in malicious spam messages sent to fewer than 10 Proofpoint customers in European and local US governments.
Microsoft products are a “target-rich opportunity”
In an email on Monday, the security company added further color, writing:
- Proofpoint Threat Research has been actively monitoring for use of the Follina vulnerability and we spotted another interesting case on Friday. An email with a RTF file attachment used Follina to ultimately execute a PowerShell script. This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil via BitsAdmin. While Proofpoint suspects this campaign to be by a state-aligned actor based on both the extensive recon of the Powershell and tight concentration of targeting, we do not currently attribute it to a numbered TA.
- Proofpoint has observed the use of this vulnerability via Microsoft applications. We are continuing to understand the scope of this vulnerability but at this time it is clear that many opportunities exist to use it across the suite of Microsoft Office products and additionally in Windows applications.
- Microsoft has released “workarounds” but not a full scale patch. Microsoft products continue to be a target-rich opportunity for threat actors and that will not change in the short term. We continue to release detection and protection in Proofpoint products as we learn more to assist our customers in securing their environments.
Security firm Kaspersky, meanwhile, has also tracked an uptick in Follina exploits, with most hitting the US, followed by Brazil, Mexico, and Russia.
“We expect to see more Follina exploitation attempts to gain access to corporate resources, including for ransomware attacks and data breaches,” the Kaspersky researchers wrote.
CERT Ukraine also said it was tracking exploits on targets in that country that use email to send a file titled “changes in wages with accruals.docx” to exploit Follina.
The secret to Follina’s popularity: “low interaction RCE”
One reason for the keen interest is that Follina doesn’t require the same level of victim interaction that typical malicious document attacks do. Normally, these attacks need the target to open the document and enable the use of macros. Follina, by contrast, doesn’t require the target to open the document, and there’s no macro to allow. The simple act of the document appearing in the preview window, even while protected view is turned on, is enough to execute malicious scripts.
“It’s more serious because it doesn’t matter if macros are disabled and it can be invoked simply through preview,” Jake Williams, director of cyber threat intelligence at the security firm Scythe, wrote in a text chat. “It’s not zero-click like a ‘just delivering it causes the exploit’ but the user need not open the document.”
Researchers developing an exploit module for the Metasploit hacking framework referred to this behavior as a low-interaction remote code execution. “I was able to test this using both the .docx and rtf formats,” one of them wrote. “I was able to gain execution with the RTF file by just previewing the document in Explorer.”
A bungled response
The enthusiasm threat actors and defenders have shown for Follina contrasts starkly with Microsoft’s low profile. Microsoft was slow to act on the vulnerability from the start. An academic paper published in 2020 showed how to use Microsoft Support Diagnostic Tool (MSDT) to force a computer to download a malicious script and execute it.
Then in April, researchers from Shadow Chaser Group said on Twitter that they had reported to Microsoft that an ongoing malicious spam run was doing just that. Even though the researchers included the file used in the campaign, Microsoft rejected the report on the faulty logic that the MSDT required a password to execute payloads.Finally, last Tuesday, Microsoft declared the behavior a vulnerability, giving it the tracker CVE-2022-30190 and a severity rating of 7.8 out of 10. The company didn’t issue a patch and instead issued instructions for disabling MSDT.
Microsoft has said very little since then. On Monday, the company declined to say what its plans are.
“Smaller security teams are largely viewing Microsoft’s nonchalant approach as a sign that this is ‘just another vulnerability’—which it most certainly is not,” Williams said. “It’s not clear why Microsoft continues to downplay this vulnerability, which is being actively exploited in the wild. It certainly isn’t helping security teams.”
Without Microsoft to provide proactive warnings, organizations have only themselves to lean on for guidance about the risks and just how exposed they are to this vulnerability. And given the low bar for successful exploits, now would be a good time to make that happen.