UPDATE:
Microsoft has just announced that they released a patch for the Follina Exploit in the June Cumulative Update. Microsoft strongly encourages its users to intall the patch. For more information on the patch check out this article: bleepingcomputer.com/news/security/microsoft-patches-actively-exploited-follina-windows-zero-day/
What is “Follina”?
To start off, the researchers that discovered this vulnerability found the exacutable was named “0520220438” where “052022” stands for “May 2022”. But for “0438”, they used that as an area code that ends up being a place in Italy called “Follina”. However the researchers want to make it known that there is no evidence that Follina Italy is where the exploit orginated.
What does it exploit?
It exploits a tool in Microsoft that has been used for a number of years that diagnose problems on your computer. It’s called the Microsoft Diagnostics Tool. If your internet isn’t working or your printer is down, you would use this tool to diagnose the problem and help resolve it by running you through some templates.
Do you have to be an active user of this tool to fall victim to the Follina Exploit?
The scary part about this exploit is that you don’t need to use the tool to get hacked. Microsoft’s diagnostic tool is built into windows installation including servers, workstations, windows 7 to 10 and 11. This is what makes it so wide spread and dangerous.
How would they use this tool to compromise a system?
The biggest threat with Follina is that it allows Remote Code Execution (RCE). What can happen is if someone uses this exploit, they can run scripts, install software, and all kinds of damage to your computer. A typical threat actor will use it to install what is called “command and control” and be able to control your computer at a later date or install software’s such as ransomware.
Do you get this vulnerability from clicking on an attachment or link?
Typically it’s being seen as an attachment that gets sent out. The most common way this is being used is when a Microsoft word document comes in as an attachment and people are opening it. Unlike macro-vulnerabilities in the past, this launches right away so you wouldn’t have a chance to turn it off, it would just launch whatever malicious code was included with it.
Isn’t there Macro protocols to prevent this?
Yes and no. It is standard practice nowadays to disable macros or only do macros from trusted documents. However Follina exploit is using a feature of Office embedded into that word document that launches this diagnostic tool that lets them run and download a script from a third party all without warning. Unfortunately Microsoft’s utility includes parameters where you can add a statement in it to skip certain prompts and for it to run, all without the user knowing.
What have we been doing here at Skycomp to prevent this from happening?
Here at Skycomp we have good relationships with our vendors and we found out they were able to address this situation fairly quickly, so our EndPoint Protection systems automatically rolled out policies that will take care of this. They know how the exploit is run so they can handle it appropriately.
We have also pushed out policies on our zero trust software ThreatLocker, to block the Microsoft diagnostic utility from executing any kind of power shell or remote scripts against your computer. We also set up what’s called a Ring Fencing Policy which will stop Microsoft Office from interacting with the diagnostic utility as well.
If you would like to research more, check out these articles!
nakedsecurity.sophos.com/2022/05/31/mysterious-follina-zero-day-hole-in-office-what-to-do/
blog.talosintelligence.com/2022/06/msdt-follina-coverage.html
Subscribe to our Monthly Newsletter!
Want to be in the know with more content like this? Signup for our monthly newsletter “A Lot More To IT”. Subscribe Here.