CVE-2022-30190 – New Microsoft Office Zero-Day Code Execution Exploit in the Wild

Posted by on | Featured | No Comments

VTA-00416 – CVE-2022-30190 – New Microsoft Office Zero-Day Code Execution Exploit in the Wild


Recently, the discovery of a Word document that was uploaded to VirusTotal shed light upon a new zero-day vulnerability in Microsoft Office named ‘Follina’ that may lead to arbitrary code execution, tracked as CVE-2022-30190. This malicious document (maldoc) utilizes Microsoft Word’s external link feature to retrieve the malicious HTML file, then using the Microsoft Support Diagnostic Tool — ‘ms-msdt’ to execute PowerShell code.

Although ‘Protected View’ do prevent this exploit from occurring, however once a user activates ‘Enable Editing’, this cascade of exploitation will occur, even with macros disabled. Moreover, if the maldoc has been changed into Rich Text Format (RTF) form, this exploitation can run even without opening the document. Currently, there are multiple Microsoft Office versions affected by this exploit, which includes Office 2013, Office 2016, Office 2019, Office 2021, and Professional Plus editions.

Severity:
High

Attack Surfaces:
Office 365

Tactics:
Command and Control, Defense Evasion, Execution

Techniques:
Application Layer Protocol: Web Protocols, Data Encoding: Standard Encoding, Template Injection, User Execution

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Network Monitoring, Software Manipulation

SuperPRO’s Threat Countermeasures Procedures: 
1) Disable the MSDT URL Protocol to prevent troubleshooters being launched through links. This can be done by running ‘Command Prompt’ as ‘Administrator’, and back-up the registry key before removing it by running the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename”, then delete the registry key using the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”
2) Adding the IOC signature into endpoint security protection as the custom threat detection rules. Refer to the provided IOC above to create a custom rule to block the respective File Hashes and Hostname, if necessary
3) Always ensure file is safe before disabling “Protected View”
4) IDS/IPS should be configured properly
5) Antimalware tool should be updated and configured
6) Enable auto-updates to ensure software is always up to date

Contributed by:  Izzy

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>