mturhanlar | Getty Images
Researchers warned last weekend that a bug in Microsoft’s support diagnostic tool could be exploited by malicious Word documents to take remote control of target devices. Microsoft released a guide on Monday, including temporary defense measures. On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency warned that “a remote, unauthenticated attacker could exploit this vulnerability,” known as Follina, “to take control of an affected system.” But Microsoft did not say when or if a patch for the vulnerability would arrive, although the company acknowledged that savage attackers were actively exploiting the flaw. And the company has yet to comment on the possibility of a patch when WIRED asked.
Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The bait is equipped with a remote template that can retrieve a malicious HTML file and eventually allow an attacker to execute Powershell commands on Windows. Researchers point out that they would describe the bug as a “zero-day” or previously unknown vulnerability, but Microsoft did not classify it as such.
“As public awareness of the operation grew, we began to see an immediate response from a variety of attackers who began using it,” said Tom Hegel, a senior security threat researcher at the firm. SentinelOne. He adds that while it has so far been observed that attackers exploited the flaw through malicious documents, researchers have also discovered other methods, including manipulating HTML content in network traffic.
Announcements
“While the approach to malicious documents is very worrisome, the less documented methods by which exploitation can be activated are worrisome until they are tapped,” says Hegel. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available; it’s too easy.”
The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013-2019, Office 2021, and Office ProPlus. The main mitigation proposed by Microsoft is to disable a specific protocol within the Support Diagnostic Tool and use Microsoft Defender antivirus to control and block exploitation.
But incident officials say more action is needed, given how easy it is to exploit the vulnerability and the amount of malicious activity that is being detected.
“We’re seeing several APT actors incorporate this technique into longer-chain infection sites that use the Follina vulnerability,” says Michael Raggi, a threat researcher at the Proofpoint security firm that focuses on hackers. computer aided by the Chinese government. “For example, on May 30, 2022, we noticed that the Chinese APT TA413 actor was sending a malicious URL in an e-mail that went through the Tibetan Central Administration. Different actors are incorporating files related to Follina at different stages of its chain of infection, depending on its set of pre-existing tools and the tactics deployed. “
Investigators have also seen malicious documents exploiting Follina with targets in Russia, India, the Philippines, Belarus and Nepal. A university researcher first noticed the defect in August 2020, but it was first reported to Microsoft on April 21. Investigators also noted that Follina hackers are especially useful to attackers because they can come from malicious documents without relying on Macros, the heavily abused Office. document function that Microsoft has worked to control.
“Proofpoint has identified a variety of actors that incorporate Follina’s vulnerability into fishing campaigns,” says Sherrod DeGrippo, Proofpoint’s vice president of threat research.
With all this real-world exploitation, the question is whether the guidance that Microsoft has published so far is appropriate and proportionate to the risk.
“Security teams might see Microsoft’s carefree approach as a sign that this is ‘just another vulnerability,’ which is certainly not the case,” said Jake Williams, director of cyber threat intelligence at the security company Scythe. “It’s not clear why Microsoft continues to downplay this vulnerability, especially while it is being actively exploited in the wild.”
This story originally appeared on wired.com.