Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Trustwave's Action Response: Microsoft zero-day CVE-2022-30190 (aka Follina)

Update June 7 - In the event of a compromise related to the Follina vulnerability, IT teams can potentially identify network connections in the registry associated with the malicious Office document. Additionally, spawned child processes might also be identified in the diagnostic PCW.debugreport.xml file on the host. Please see Hunting for Indicators of Compromise below for more details.

Trustwave SpiderLabs is tracking the critical-rated zero-day vulnerability CVE-2022-30190. Threat actors are reported to be actively exploiting this vulnerability in the wild. Microsoft disclosed and issued guidance for CVE-2022-30190 on May 30.

Trustwave is diligently watching over our clients for exposure and associated attacks and working closely with our clients to ensure that mitigations are in place. Trustwave SpiderLabs is continuing to monitor this developing threat and we will update this blog as necessary. 

Over Memorial Day weekend a zero-day vulnerability was discovered being actively exploited in the wild. The initial sample was a malicious Microsoft Word document that triggered arbitrary code execution when opened. Microsoft has issued this vulnerability CVE-2022-30190, but it is also known as "Follina".

 

Overview

The vulnerability is an issue with the Microsoft Support Diagnostic Tool (MSDT) in Windows.  The initial attack vector used a Word document that used the remote template feature to retrieve an HTML file from a remote webserver. The HTML file invokes "ms-msdt" MSProtocol URI scheme to load some code and execute some PowerShell. 

This vulnerability potentially affects any Office document that has access to MSDT. For instance, If the document is a .RTF file, it becomes a zero-click exploit if Preview in Explorer is enabled. Outlook also supports MS Protocol URI schemes, e.g. "ms-msdt:some_uri/resource" which would trigger exploitation if clicked.  

The full attack surface and all exploitation methods have not yet been completely explored. While the original exploit only seemed to affect MS Word, additional research resulted in attack vectors expanding to include the RTF and potential Outlook vectors. 

As of June 2, an additional attack vector was discovered that invokes a “search-ms” URI instead of “ms-msdt” to achieve the same effect of arbitrary code. With the “search-ms” variant, the attacker invokes the Windows Search functionality to launch a malicious Word document.

 

Remediation for MSDT exploitation

The vulnerability affects Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365. As of this writing, there is no patch available, but we anticipate Microsoft will release one in short order. In the meantime, Microsoft provides the following workarounds: 

Disable the MSDT URL Protocol

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
  • Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”. 

How to Undo the Workaround

  • Run Command Prompt as Administrator.
  • To restore the registry key, execute the command “reg import filename” pointing to the backup file you created before disabling MSDT

 

Remediation for “search-ms” exploitation

Like the remediation for “ms-msdt”, this remediation disables search-ms via the registry. Microsoft provide the following workarounds: 

Disable the “ms-search” URL Protocol

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\search-ms filename“
  • Execute the command “reg delete HKEY_CLASSES_ROOT\search-ms /f”. 

How to Undo the Workaround

  • Run Command Prompt as Administrator.
  • To restore the registry key, execute the command “reg import filename” pointing to the backup file you created in the previous section.

 

However, these workarounds may cause issues depending on the environment and local usage of MSDT and “search-ms.” It also does not mitigate some attack vectors like automatic preview in Explorer of malicious RTF documents. In cases where this mitigation step is not implementable, utilizing existing endpoint protection solutions for blocking and or detection is the best course of action. Multiple vendors have already released guidance for their solutions to defend or detect this exploitation.

 

Hunting for Indicators of Compromise 

In the event of a compromise related to the Follina vulnerability, IT teams can potentially identify network connections in the registry associated with the malicious Office document. Additionally, spawned child processes might also be identified in the diagnostic PCW.debugreport.xml file on the host. 

In some instances, a registry value will be created if an Office document attempting to utilize the Follina vulnerability, makes an Internet connection. Though this could identify a C2 server, not every instance of a malicious Office document executing on a machine will result in a network connection as this can be dependent upon the payload. There could also be a large number of entries, as the registry keys are historical and not removed after the machine reboots. This will require further investigation into the domains observed in the registry to determine if they are associated with malicious behaviors. 

HKEY_USERS\$USER_SID\SOFTWARE\Microsoft\Office\$OFFICE_VERSION\Common\Internet\Server Cache\ 

HKCU\Software\Microsoft\Office\$OFFICE_VERSION\Common\Internet\Server Cache\Count\ 

During an investigation or post compromise DFIR engagement, the registry can be checked via EDR technologies that allow for registry queries or can be checked by remotely connecting to the machine and running the PowerShell commands below: 

Get-ChildItem -Path 'HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache\' 

Get-ChildItem 'Registry::HKEY_USERS\$USER_SID\SOFTWARE\Microsoft\Office\$OFFICE_VERSION\Common\Internet\Server Cache\' 

Another file to check that can identify the potential child / spawned processes is the PCW.debugreport.xml file located here.  

C:\Users\[USERNAME]\AppData\Local\Diagnostics\[randomnumber]\[randomnumber].[xxx]\PCW.debugreport.xml  

Within the XML file, the value '<Data id="Parameter" name="TargetPath">[string]' can contain the path of the executed process or executable.  

 

References

MSRC blog post: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

Original analysis: https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

Attack variant using “search-ms”: https://borncity.com/win/2022/06/02/searchnightmare-windows-10-search-ms-uri-handler-0-day-exploit-mit-office-2019/

 Office network connections in the registry: 

https://twitter.com/SecurityAura/status/1531337827019014144 

 PCW.debugreport.xml 
https://twitter.com/NOP_0x90v1/status/1532983486591774721 
https://twitter.com/wdormann/status/1532080950708170752 
Yara Rule - https://docs.velociraptor.app/exchange/artifacts/pages/msdtfollina/ 

Trustwave 

The Trustwave SpiderLabs IDS team released five IDS signatures as an out of band release to cover known attack vectors. The Trustwave Global Threat Operations team has also deployed detection rules in the Trustwave Fusion platform. Other Trustwave SpiderLabs teams are still investigating additional protections and detections we can implement. 

We will update this blog post as appropriate.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More