MS Office RCE Vulnerability “Follina” CVE-2022-30190 actively exploited by threat actors
June 3, 2022
CloudSEK’s Threat Research team has analyzed the MS Office RCE 0day vulnerability that has been dubbed as Follina and has been given the CVE-2022-30190. The attack vector and the vulnerability very closely resembles CVE-2021-40444.
Follina RCE Vulnerability CVE-2022-30190 in MS Office Actively Exploited by Threat Actors
Remote Code Execution
0day vulnerability dubbed Follina (CVE-2022-3019) is an RCE vulnerability in MS Office.
The attack vector has been out in the open for 2 years.
Recent increase in dark web chatter regarding weaponizing publicly available PoCs to bypass sandboxes and EDRs.
Attackers can exploit this vulnerability to execute commands remotely.
Attackers can piggyback on the exploit to drop malware and ransomware.
Loss of revenue, reputation, and intellectual property.
CloudSEK’s Threat Research team has analyzed the 0day vulnerability that has been dubbed as Follina and has been given the CVE-2022-30190. The attack vector and the vulnerability very closely resembles CVE-2021-40444.
Overview of CVE-2022-30190
CVE-2022-30190 has been dubbed Follina because the original exploit file references the number 0438, which is the Area Code of Follina in Italy.
It is a remote code execution (RCE) vulnerability with zero-click vectors publicly available. Hence it is easy to exploit and can have a high impact on victims.
This vulnerability/attack vector does not include the use of Macros which is what makes it even more dangerous as they are sandboxed now and have been disabled by default. This attack vector only needs opening the malicious document without enabling anything.
Contrary to popular belief, this attack vector has been out in the open for 2 years. The exploitation of MS-msdt has been detailed in this research paper.
Information from OSINT
CloudSEK’s Threat Research team has identified that the Follina vulnerability was being exploited before the recent advisory and workarounds from Microsoft.
In April 2022 crazyman_army highlighted the active exploitation of CVE-2022-30190. The vector was even reported to Microsoft but was not considered a valid issue.
This issue was again identified by Nao_sec in May 2022. While researching for possible exploitation attempts for the CVE-2021-40444, Nao_sec stumbled on a file which was using ms-msdt payload to invoke powershell and execute commands, but was flagged as CVE-2017-0199 by VirusTotal. This sample was used to create PoC exploits, and since then Follina has gained significant public attention.
The same attack vector was discovered in 2020 and has been out in the open for 2 years.
Information from Dark Web Forums
CloudSEK has already identified chatter on dark web forums discussing the usage of publicly available PoCs to bypass sandboxes and EDRs.
Threat actors and APT groups are quick to discover and exploit vulnerabilities in popular services. In this case, the low complexity of the attack vector, made it an especially attractive target. Chinese Threat Group TA413 has already started exploiting this vulnerability by impersonating the “Women Empowerment Desk” of the Central Tibetan Administration, as highlighted by the image below:
On dark web and cybercrime forums multiple threat actors are:
Discussing the Follina vulnerability and possible exploitation methods.
Selling mass exploiters for the CVE
Technical Analysis of CVE-2022-30190
How Threat Actors Identify Vulnerable Instances
To check for any exploitation attempts, attackers look into the following registry key for any suspicious domains that are reached out to by the Office application: HKEY_USERS\<SID>\SOFTWARE\Microsft\Office\16.0\Common\Internet\Server Cache. The IP address and port data listed under the above key shows the external connections made by the Office application.
Exploiting the Vulnerability
The vulnerability involves sending a Microsoft office Document to the victim. Opening the document starts the WINWORD.exe which has an external reference to a malicious URI: xmlformats.com (This has been taken down now).
Attackers can use their own Command and Control servers by modifying the following file: word/_rels/document.xml.rels.
Once the attacker has modified the URL, the document, when opened, reaches out to the attacker’s C2 server and fetches malicious code which invokes powershell.
The original sample fetched the following file
If the file downloaded does not contain 4096 bytes, the msdt child process asks the user for a password. This is the reason why the file has redundant comments.
The WINWORD.exe process then starts the child process msdt.exe. Then MSDT is used invoke powershell and run a base64 encoded command which is:
Here the threat actor is trying to execute the final payload via MS command Line. The contents of the rgb.exe is not known currently. However, in the wild, threat actors are dropping Cobalt Strike Payloads, Stealers loaders, and other malware via encoded PS commands. Hence our best assumption is that rgb.exe can be the one illustrated above.
Threat Actors can now utilize the command running capability to laterally move through the victim’s infrastructure or to escalate privileges and drop ransomware, or to maintain persistence.
Impact & Mitigation
Attackers can use this vulnerability to execute commands remotely
Threat actors can abuse this vulnerability to steal NTLM hashes from targeted systems, while establishing foreign connections to the attacker’s system. This could lead to further AD targeted attacks that may compromise the victim’s internal network.
Since the flaw is easy to exploit, threat actors can target a large volume of victims and piggyback on it to deploy ransomware.
Potential loss of revenue, reputation, and intellectual property.
This vulnerability is still a 0day as there is no available patch.