Follina is one of the highly severe remote code execution vulnerabilities. It was first disclosed as a zero day vulnerability by the security researchers of Nas Sec in May, 2022. However it is said that the vulnerability could be exploited a long time before its discovery.
The common vulnerability and exposure number for follina is 2022-30190.
This vulnerability was discovered in Microsoft office suite and it uses the MSDT(Microsoft support diagnostic tool) to execute malicious shell commands.
HOW DOES FOLLINA WORK?
Phishing campaigns were conducted to exploit follina where the targets are encouraged to open a microsoft document which looks legitimate. This document contains a web link which directs to the attacker. These embedded links invoke Microsoft Support Diagnostic Tool(MSDT).
MSDT is a service provided by microsoft to collect information about system crashes and send it to the support team and this service can also be used to execute a set of powershell commands without the knowledge of the user. The malware can also be installed via USB and the code could run without any user interaction if it is in .rtf format.
SEVERITY OF THE VULNERABILITY
The versions of Microsoft that are vulnerable to follina are Microsoft 2013, 2016, 2019, 2021, and it also exploits some versions of MS office applications that are pre installed in PC. MS office is considered to be one of the most popularly used software thus the scope of the attacks exploiting follina is global.
It is also said that popular Advanced persistent threat groups are actively exploiting this vulnerability.
Follina can be easily exploited thus even a newbie could easily start a global wide phishing campaign. Once the attacker gains the Remote code execution control they can easily proceed with their nefarious activity. Hence this vulnerability is highly severe.
MITIGATION:
The most efficient way to prevent this attack is patching the systems with the updates released by Microsoft. In this update Microsoft has disabled the MSDT feature in the windows and it also stops the execution of any code without the user's knowledge.
This vulnerability is exploited by user interaction thus it is important to conduct awareness programs on the importance of not clicking unknown links or documents.
REFERENCE:
Comments