Friday, August 12, 2022





A vulnerability called ‘Follina’ is allowing cyber attackers to get full system control of affected devices. Follina is a software vulnerability that allows attackers to utilize the remote template function on MSDT. They must input a specially crafted Word document, which will load an HTML file that triggers this vulnerability.

A Japanese cybersecurity research team released this vulnerability named “Follina” on Twitter for Microsoft Office that could let a document execute malicious code even if the user has macros disabled. This vulnerability called Follina, found in Microsoft Office can lead to executing malicious code while opening a Word document. The vulnerability targets users as soon as they open the file. It’s been discovered that the Follina zero-day vulnerability affects Office 2013 and later versions.

Transfers Malicious Code

The security vulnerability delivers malicious code via a Microsoft Word document. Those who open the file can be impacted as soon as they do so, meaning that cyber-criminals are also at risk. The issue impacts Office 2013 and newer versions. Cyber attackers don’t need to use macros to attack our system. The vulnerability can be accessed from all versions of Windows because it’s inherent in the design of the software.

How Follina Vulnerability has impacted Microsoft

The AsyncRAT finds the analysis function on your system and shuts them down. It then gathers information about the infected machine, such as hardware identification and username, before sending it to a C2 server and executing commands from the server onto the infected machine.

This new type of virus steals personal information from your browser. This includes cookies and data from Skype, Chrome, and Firefox. Threat hunters have identified cybersecurity flaws in Follina and found that organizations in the US are often targeted. Bad actors are trying to exploit the bug, which has been identified since April when Shadow Chasers tweeted that they had reported this vulnerability to Microsoft themselves. When you opened a malicious file in preview mode, it would launch the code.

The vulnerability can be exploited by any application that calls MSDT, including applications from Microsoft. An information security researcher found malware that could exploit an opening in Microsoft Word. The malware’s code contained the area code 0438, and so the researcher used it to name the new virus “Follina”. It issued an advisory on June’s Patch Tuesday.

If an attacker successfully exploits a vulnerability in this system, they could access private information on systems that are running on cloud servers or that are on-premises. For the former, the attacker would need to be a malicious VM and trick another VM. For the latter, the attacker would need to either have system access or use an application that is installed on the target machine.

Follina Not Using Macros

This new vulnerability, called a metamorphic code attack, has enabled malicious actors to launch an automated process without using macros. Microsoft offers a series of instructions and commands as macros to automate tasks; however, the new vulnerability has enabled attackers to launch the same kind of automation without requiring macros. If you access a remote site that has a Word template, it will download and execute some code into PowerShell. This should not be possible.

Follina Vulnerability exploited

A file exploiting the loophole started profiling a user in Russia over a month ago.

Microsoft Office is a potential target for attack due to its vulnerability. Microsoft is aware of the issue, and the attacker may target anyone with a Microsoft 365 Licence. Microsoft was made aware of this security issue in their system in April but did not think it was a precursor to a future event.

Microsoft, who had previously denied there being a vulnerability, finally acknowledged the existence of CVE-2022-30190.Microsoft recommends disabling the MSDT URL protocol and enabling some settings on Microsoft Defender. It has not provided an exact timeline as of yet, but the Follina vulnerability is known to be a time-sensitive issue in Word.

What methods do attackers use when exploiting Follina vulnerability?

The .doc file has a link to an HTML page with code that is hard to decipher.

Microsoft provides windows operating systems that open up the MSDT and run the code provided in the link. Depending on the code executed, a hacker can either further compromise a system or take control of it. A malicious email can easily lead to the Follina vulnerability by containing a malicious document or a link leading to one.

You only need to open and view a Word document, or a preview of it, to become vulnerable to the attack. Cemerikic says that “although there are only recorded cases in which this has been exploited in the wild, any office product which handles objects is vulnerable.” This makes this vulnerability more dangerous than traditional vulnerabilities.

Learn about the attacks

This is a well-documented exploit that many hackers are using. The first breach was allegedly done by the Chinese APT threat actors. Chinese hackers have targeted the Follina vulnerability, using Word documents to carry out a malware campaign that falsely appears to be from the Tibetan woman empowerment group.

To detect malicious activities involving the malware sdiagnhost.exe, administrators can track and block the suspicious process. The culprit will be an exe-child with conhost.exe as its parent, carrying a payload that launches a series of processes. Microsoft has offered a workaround solution to disable MSDT URLs in the registry. Security vendors are actively creating updates to detect the Follina vulnerability, as well as antivirus solutions that can keep your computer safe. Do not preview any files or documents that have been sent by an unknown sender, specifically a DOC file, or DOCX file.