Threat actors, including state-supported groups and cybercrime organizations, are actively ramping up attacks that leverage a recently discovered zero-day flaw in a Microsoft Windows support tool. The flaw, known as Follina, allows attackers to remotely take control of targeted computer systems through the use of altered Office documents.
Microsoft distributed a patch for the vulnerability as part of its Patch Tuesday updates for June. The company is urging customers to move quickly to install the patch due to the flaw’s high potential for exploitation.
According to numerous reports, hackers possibly aligned with China have used the vulnerability to launch attacks against U.S. and European Union government targets. Meanwhile, cybercrime groups such as the Black Basta gang have used the flaw to distribute ransomware, trojans and info-stealers to numerous private sector organizations.
Follina is a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT). The tool is meant to give Microsoft support personnel a way to remotely access systems for diagnostic purposes, but attackers can use maliciously altered Office documents to exploit the tool’s remote access capability. Once inside a system, attackers can then view, change or delete data, run arbitrary code, install programs or create new accounts.
A ‘Zero-Click’ Threat
Although recorded exploits to date have largely involved Word documents, Excel and PowerPoint documents are also potential delivery mechanisms. Microsoft has confirmed that Office 365, Office ProPlus, Office 2013, Office 2016, Office 2019 and Office 2021 are all vulnerable to Follina.
It's not the first time Office documents have been used to drop malware into victims’ computers. However, these exploits typically use a macro to hide malware within a document that is transmitted via a phishing email. The macro automatically runs when the document is opened, launching the malware.
What makes Follina unique is that doesn’t require the use of macros, so there’s no need to trick users into actually opening the document. Users could trigger the exploit with just a hover preview of an infected document in Windows Explorer. Multiple researchers have confirmed that Follina is a “zero-click” exploit that requires no user interaction.
Mitigation Strategies
Microsoft is still working on a patch for the vulnerability. The company has outlined these two workarounds that can be used until a fix becomes available:
Although the patch should reduce your exposure to the vulnerability, we recommend keeping Microsoft’s previous workarounds in place for additional safeguards:
1. Disable the MSDT protocol.
- Run Command Prompt as Administrator
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename”
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”
2. Disable preview in Windows Explorer
- Open File Explorer
- Click on View Tab
- Click on Preview Pane to hide it
Microsoft further recommends that customers with Microsoft Defender Antivirus should turn on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
IT teams should warn users that even preview mode can be dangerous with Microsoft Office attachments. Users should delete emails from untrusted sources, and call to verify that unexpected attachments are legitimate.
The Verteks cybersecurity team is continuing to monitor developments with the Follina vulnerability. Contact us for the latest updates about the threat or for guidance on mitigation strategies.
