Follina (CVE-2022-30190): No major attack wave, but campaigns on EU/US and other targets

Sicherheit (Pexels, allgemeine Nutzung)[German]A 0-day vulnerability CVE-2022-30190 (Follina) in Windows has been known since the end of May 2022. Yesterday, a tip from a security researcher came to my attention, who has not yet found any active exploitation via manipulated Office documents. On the other hand, Proofpoint reports that they have just stopped a phishing campaign attacking customers at EU and US government agencies. State actors are suspected to be behind the action. An attack was also observed in the South Pacific, originating from servers in Palau. In the process, a digital certificate from a company was misused for signing. The CERT-UA also warns of attacks on government targets in Ukraine. Time for a brief stocktake around the exploitation of Follina.


No major attack so far?

Actually, it was to be expected that the recently disclosed Windows vulnerability CVE-2022-30190 (Follina) would be massively abused in attacks over Whitsun. But there hasn't been a real wave, although I've found mixed signals on the web.

No exploitation from Cyber criminals yet?

On Twitter, the following tweet  from security researcher Kevin Beaumont came to my attention. Beaumont writes on June 6, 2022, that he has yet to see any examples of the usual groups of cyber criminals already using modified "office doc builders" that exploit the Follina vulnerability.

Follina: Entwarnung?

"Office Doc Builders" are packages that can be used to generate Office documents that exploit vulnerabilities in Office/Windows in attacks. The Office documents are sent along with phishing emails to carry out an attack. According to Beaumont, the relevant ransomware groups use 6-month-old Office doc builders that use only .lnk files in ISO files to attack. He writes: Anyway, no need to panic. The people who used this vulnerability so far seem to have disappeared, and I haven't seen any further exploitation outside of security research circles today.

Warnings of exploitation in EU/USA

However, security vendor Proofpoint reports on Twitter  that it has blocked a suspected state-sponsored phishing campaign that attempted to exploit the Windows CVE_2022_30190 (Follina) vulnerability.


Follina vulnerability (CVE-2022-30190)

This campaign pretended to the potential victims that it was about a salary increase (see the screenshot above). The attachment included an RTF file with alleged details (242d2fa02535599dae793e731b6db5a2). An attempt was then made to download the exploit payload of 45.76.53[.]253 via the CVE_2022_30190 vulnerability.

The downloaded Powershell script was base64-encoded and used Invoke expression to download an additional PS script (dbd2b7048b3321c87a768ed7581581db) from seller-notification[.]live. This script checks for virtualization, steals information from local browsers, mail clients, and file services, performs machine matching, and zips the results to transmit them to 45.77.156[.]179.

However, the phishing campaign affected fewer than 10 Proofpoint customers (European governments and local U.S. governments). Proofpoint therefore suspects that this campaign is the work of a state-organized actor, as the powershell scripts were very specifically constructed and the attacks were heavily concentrated on a few victims.

Probably still limited danger at present

In the above case, the attackers probably took a very targeted approach to deploy their exploits in doses to high-profile targets, while the groups of cybercriminals are probably not yet ready to exploit the vulnerability (that's how I interpret Kevin Beaumont's statement). But that could change quickly in the days to come.

Warning from CERT-UA

A Czech security site reported as of June 3, 2022, that the just-publicized MSDT Windows vulnerability CVE-2022-30190 (Follina) had been used to attack government entities in Ukraine. The Computer Emergency Response Team of Ukraine (CERT-UA) warns of a new malicious campaign that exploits two Windows zero-day vulnerabilities to infect networks of Ukrainian government agencies with the Cobalt Strike beacon malware.

The observedphishing email campaign has the subject "Зміни оплата праці з нарахуваннями" ("Salary changes with accruals") with an attachment in the form of a malicious Microsoft Word document containing a link to an HTML file. Once the document is opened, JavaScript code is executed on the machine, which triggers the exploitation of CVE-2021-40444 and CVE-2022-30190 vulnerabilities and eventually leads to the download of Cobalt Strike Beacon to a compromised computer.

Cobalt Strike is a paid penetration testing product that allows threat actors to install an agent called "Beacon" on a victim's computer. "Beacon" features include command execution, key logging, file transfer, SOCKS proxies, privilege escalation, Mimikatz, port scanning and lateral movement.

So this is a similar attack that Proofpoint blocked in a modified form – adapted to victims in the EU and the US. There, the document was in English and PowerShell scripts were used.

Follina attacks in South Pacific/Australia

Attacks also appear to have occurred in the South Pacific/Australia, as reported by Avast in this blog post for June 3, 2022. Monitoring found evidence of a threat actor hosting malicious payloads at an Australian VOIP telecommunications provider with an office in the South Pacific island nation of Palau.

Further analysis revealed that malicious documents were sent to targets in Palau that, when opened, exploited this vulnerability so that victims' computers connected to the provider's website, downloaded and executed the malware, and were subsequently infected.

Avast writes: This threat was a complex multi-step operation using LOLBAS (Living off the Land Binaries And Scripts), which allowed the attacker to launch the attack via the CVE-2022-30190 vulnerability in the Microsoft Support Diagnostic Tool. This vulnerability allows threat actors to execute malicious code without the user downloading an executable file to their computer that could be detected by endpoint detection.

Several levels of this malware have been signed with a legitimate enterprise certificate to provide additional legitimacy and minimize the likelihood of detection. The details can be read in the blog post linked above. This Australian IT site reports as of June 6, 2022, Click Studios has revoked the digital certificate used by the "Follina" malware. 

Follina vulnerability (CVE-2022-30190)

A new 0-day vulnerability CVE-2022-30190 named Follina in Microsoft Support Diagnostic Tool (MSDT) has been known since end of May 2022. The vulnerability allows remote code execution when MSDT is invoked via the URL protocol from an application such as Word. An attacker who successfully exploits this vulnerability can execute arbitrary code with the privileges of the calling application.

I had provided details in the blog posts Follina vulnerabilitiy (CVE-2022-30190): Status, Findings, Warnings & Attacks and Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190). A support document Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability is available from Microsoft, which also provides guidance on mitigating the vulnerability.

There is no official patch from Microsoft yet. But ACROS-Security has released a micro-patch for all Windows versions, which is free of charge and prevents exploitation of the vulnerability (see 0Patch Micro patch against Follina vulnerability (CVE-2022-30190) in Windows). In addition, attacks via this vulnerability are now detected and blocked by Microsoft Defender and other virus scanners and SIEMS solutions.

Similar articles:
Follina: Attack via Word documents and ms-msdt protocol (CVE-2022-30190)
Follina vulnerabilitiy (CVE-2022-30190): Status, Findings, Warnings & Attacks
0Patch Micro patch against Follina vulnerability (CVE-2022-30190) in Windows

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *