Researchers warned last weekend that a bug in the Microsoft Support Diagnostic Tool could be exploited using malicious Word documents to remotely control target devices. Microsoft published guide Monday, including temporary defense measures. On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency warned that “an external, unauthorized attacker could exploit this vulnerability,” known as Follina, “to take control of an affected system.” But Microsoft would not say when or if there will be a patch for the vulnerability, even though the company acknowledged that the bug was actively exploited by attackers in the wild. And the company still had no comment on the possibility of a patch when WIRED asked them yesterday.
The Follina vulnerability in a Windows Support tool can be easily exploited by a specially crafted Word document. The lid is equipped with a remote template that can download a malicious HTML file and ultimately allow an attacker to execute Powershell commands in Windows. Researchers note that they would describe the bug as a “zero-day” or unprecedented vulnerability, but Microsoft has not classified it as such.
“As public awareness of the exploitation grew, we began to see an immediate response from a number of attackers who began using it,” said Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that although attackers have so far been primarily observed exploiting the bug through malicious documents, researchers have also discovered other methods, including manipulating HTML content in network traffic.
“While the malicious document approach is very worrying, the less documented methods by which exploitation can be triggered are worrying until it is patched,” Hegel says. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the opportunity arises – it’s just too easy.”
The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 to 2019, Office 2021 and Office ProPlus. Microsoft’s main proposed mitigation involves disabling a specific protocol in the Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor and block exploitation.
But caseworkers say more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected.
“We are seeing a variety of APT actors incorporate this technique into longer chains of infection that exploit the Follina vulnerability,” said Michael Raggi, a threat researcher at security firm Proofpoint, which focuses on Chinese government-backed hackers. “For example, on May 30, 2022, we observed the Chinese APT actor TA413 send a malicious URL in an email that mimicked the central Tibetan administration. Different actors insert into the Follina-related files at different stages of their infection chain , depending on their existing toolkit and implemented tactics. “
Researchers have that too set malicious documents exploits Follina with targets in Russia, India, the Philippines, Belarus and Nepal. First a bachelor researcher noted the error in August 2020but it was first reported to Microsoft on April 21st. Researchers also noted that Follina hacks are particularly useful for attackers because they can originate from malicious documents without relying on macros, the highly abused Office document feature that Microsoft has been working on curbing.
“Proofpoint has identified a number of actors incorporating Follina vulnerability into phishing campaigns,” said Sherrod DeGrippo, Proofpoint’s Vice President of Threat Research.
With all this real-world exploitation, the question is whether the guidance Microsoft has published so far is adequate and proportionate to the risk.
“Security teams could see Microsoft’s careless approach as a sign that ‘this is just another vulnerability,’ which it certainly is not,” said Jake Williams, director of cyber-threat intelligence at security firm Scythe. “It is not clear why Microsoft continues to downplay this vulnerability, especially while it is being actively exploited in nature.”