Note: This blog post discusses active research by CTIG into an ongoing threat. This information should be considered preliminary and will be updated as research continues.
On May 27 2022, the Cyber Security Research Team naosec tweeted about an interesting malware document submission to VirusTotal from Belarus. Nao_sec’s tweet further highlighted the maldocs ability to execute arbitrary code by abusing built-in Microsoft Office functionality, where the diagnostic tool built into many Microsoft apps is invoked. The attack generally begins with an email containing a malware-embedded document or containing a link, simply opening the doc or clicking the link is the first step. This initiates a callout to what would normally be part of MS diagnostics, but in this case is instead a URL for a site that carries malicious code, which is automatically processed by Office:
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt— naosec (@naosec) May 27, 2022
Essentially, according to Microsoft, “an attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Discovery of “Follina”
Using VirusTotal submissions as data points, the use of this exploit can be traced back to April 2022. On May 27th, a second document using the same technique was uploaded to VirusTotal and flagged by nao_sec.
Several other documents using the same technique were discovered using the May 27th document as a starting point. The exploit is trivial to write and modify. There are several high-quality proof-of-concept examples available at the time of publication.
One of the first security researchers to analyze the exploit, Kevin Beaumont, dubbed the vulnerability "Follina" because the malicious file references 0438, the area code for the Italian village of Follina.
In addition to investigating the origins of this vulnerability, Vulnerability Analyst Will Dormann has since compared CVE-2022-31090 to CVE-2021-40444 (the Microsoft MSHTML Remote Code Execution Vulnerability), which has been widely exploited.
OK, now that I have access to a computer, let's take a look at this Office 0day that folks are talking about.— Will Dormann (@wdormann) May 30, 2022
It's very similar to the MSHTML CVE-2021-40444 vul from September:
1) Use of '!' at the end of the retrieved URI
2) Size of retrieved HTML must be 4096 bytes or larger https://t.co/yxgWJ300OP pic.twitter.com/C2Bpuh7xHQ
Huntress researcher John Hammond has also noted in their latest blog that "much like CVE-2021-40444, this extends the severity of this threat by not just “single-click” to exploit, but potentially with a “zero-click” trigger."
CTIG is continuing to investigate this vulnerability as it evolves. Technical details will be published as research continues.
Guidance for CVE-2022-30190
The CVSS (Common Vulnerability Scoring System) score for this vulnerability is 7.3, and it affects all versions of Windows. Microsoft recommends disabling the MSDT protocol and provides instructions on how to do so in their workaround document.
The most consistent detection methods appear to be:
- Observing for specific process creations such as msdt.exe being spawned as a child process of any Microsoft Office application, especially Word and Excel.
- Checking application logs for the event that MSDT.exe is executing a base64 encoded Powershell.
The primary recommended mitigation is to apply Microsoft-provided patches per their guidance here.
Microsoft provided guidance including workarounds for this information in a May 30th, 2022 MSRC blog here.
CTIGs look into the future
UPDATE June 23rd, 2022:
So, where do we go from here? As we already know, this vulnerability was discovered by being exploited in the wild. CTIG assesses that this vulnerability will be exploited further as more actors add it to their toolkit. High-quality exploit proof-of-concept samples will make integration into existing campaigns trivial.
Follow us on social media to stay up to date on the latest CTIG news.