OS command injection vulnerability in Turistforeningen node-s3-uploader through 2.0.3 for Node.js allows attackers to execute arbitrary commands via the metadata() function.

From time to time, our security researchers find zero-day vulnerabilities in open source projects. When this happens, we inform the relevant maintaners of the package and publish our findings here only after they’ve been remediated, or when a patch is available.

CVE-2021-34084: Checkmarx Advisory

Although organizations should perform proper risk analysis and patch as soon as practical after there's a fix for this vulnerability, defenders still have options before that's released.

On May 27, 2022, researchers from Japan-based nao\_sec identified a malicious document in a commercial malware repository, dubbed "Follina," that revealed the document employed a novel technique to achieve code execution. \[Note: Read Dark Reading's earlier coverage on Follina.\] While referencing a remote object, similar to techniques like template injection, the document retrieves the following URL:

_hXXps://www.xmlformats\[.\]com/office/word/2022/wordprocessingDrawing/RDF842l.html!_

When still active, the URL hosted content that included follow-on code to execute PowerShell via an explicit call to the application "ms-msdt":

    

MSDT is a diagnostic tool included in Windows. As shown above, MSDT can be used to parse and execute code, such as PowerShell, and can be called through parsing a malicious resource. Abuse of MSDT isn't new, as the technique previously has been documented among known "living off the land" binary (LOLBins) abuse. However, its use via a URL redirection called from Microsoft Office was previously unknown, expanding scope of potential MSDT abuse to remote mechanisms.

Since initial reporting, Microsoft issued CVE-2022-30190 to cover this remote code execution (RCE) possibility within MSDT when called through another application. While a patch for this vulnerability has not yet been released, several mitigation strategies exist (covered in greater detail below).

As of this writing, actual abuse of this technique appears to be limited, but with examples dating back to as early as April 2022. Public disclosure and researcher notes identify only a few instances of malicious use of MSDT via Microsoft Office applications. However, since public identification, multiple proofs of concept for this technique emerged, and Gigamon Applied Threat Research (ATR) anticipates that multiple threat actors will soon incorporate this technique into operations.

**Impact**

At present, the impact of CVE-2022-30190 is largely notional given lack of identified widespread use by threat actors. Once this technique is absorbed into existing actor toolkits, however, circumstances will change, with the potential for use by multiple threat actors. On initial discovery, endpoint detection and response (EDR) solutions appeared largely blind to this execution mechanism, but as of this writing that is rapidly changing across multiple vendors and products. Furthermore, as explained in guidance from Microsoft, MSDT's capability to launch items as links can be disabled via changes to the Windows Registry, removing this intrusion vector (with the potential for unforeseen or undesired consequences) until a true patch is available.

More importantly, while much initial discussion focused on the Office mechanism for triggering this issue, CVE-2022-30190 is application-agnostic in functionality, which centers on passing code to MSDT for execution. While Office represents an obvious mechanism to reach this application through delivery of a document via phishing or malicious link, any mechanism of launching MSDT will work to enable follow-on RCE such as a malicious LNK file or via the implementation of "wget" in Windows. The Office route presents just one of many potential avenues for exploitation, with other possibilities of MSDT abuse publicly documented.

For defenders and end users, the risk is therefore not just a new malicious Office delivery vector but, rather, abuse of an internal Windows component (MSDT) for code execution via multiple potential vectors. As such, certain mitigations (such as stopping all child processes from Office applications) represent only partial fixes to one aspect of the problem. To appropriately determine the scope and risk of this scenario, defenders must orient how MSDT abuse, irrespective of vector, applies to adversary operations.

**Orienting to Adversary Operations**

As documented thus far, MSDT is leveraged in early phases of adversary operations as an initial access mechanism to victim machines. As noted by other researchers, MSDT abuse via Office results in follow-on execution with the same privileges as the active user. This is helpful if victims are running as unprivileged users, but given the wealth of mechanisms available to elevate privileges in Windows environments, this limitation would appear to be easily overcome by most adversaries.

However, even if an adversary can access and elevate privileges to a victim device, this specific action represents only one, relatively early step in the overall adversary life cycle, or "kill chain." Appropriately leveraging this vulnerability still requires follow-on actions, including command and control (C2) and lateral movement activity, that present options to defenders for identifying adversary operations. Furthermore, there are precursor actions to code execution via MSDT that defenders can leverage to identify suspicious behaviors leading to exploitation.

Overall, CVE-2022-30190 represents a concern, but only one of many potential avenues available to adversaries to achieve initial code execution in victim environments. By properly understanding how adversaries employ this technique and what are necessary pre- and post-exploit actions to achieve adversary objectives, defenders can begin identifying detection, response, and hunting strategies that work against multiple potential intrusion vectors.

**Detection and Mitigation Possibilities**

1.  **Focus on patching and host-based responses.** The initial security community focus for MSDT abuse mitigation focused on patching (or the inability to do so) and host-based responses. As a host-focused exploitation mechanism, such an approach appears reasonable, and patching will be the most effective way of addressing this specific security issue. Additionally, process parent-child relationship monitoring (or outright blocking) can significantly reduce attack surface by preventing entire categories of intrusion, such as Office or MSDT spawning child processes. Specifically unregistering the URI handler for MSDT in the Windows Registry, as outlined by Microsoft and security researchers, may also temporarily address the issue.
2.  **Look for pre- and post-exploitation activity.** As noted in the previous section though, defenders should strive for detections and mitigations that can apply irrespective of specific exploits by looking at required adversary actions pre- and post-exploitation. For example, in the case of CVE-2022-30190, current delivery mechanisms focus on Office implementations. Likely future implementations will probably expand to other file formats commonly distributed via email or malicious websites, such as LNK files, self-extracting archives, and optical disk images. Identifying and increasing visibility over these distribution pathways, limiting exposure to unknown or untrusted vectors, and similar actions may thus reduce attack surface against multiple types of delivery mechanisms that can be used for payloads beyond MSDT exploitation.
3.  **Identify potential C2 or lateral movement mechanisms**. Post-exploitation, various opportunities exist for identifying C2 or lateral movement mechanisms even if initial exploitation is missed. Following initial access, threat actors will in most cases need to migrate to other areas of the network: repositories of intellectual property or sensitive information, or critical network infrastructure such as domain controllers. The actions required to do so — such as enumerating Active Directory or remote process execution — present opportunities even without host monitoring to identify adversary operations.
4.  **Identify and classify network assets.** Further actions, such as identifying and (if possible) classifying newly observed network items (IP addresses and domain names) may allow for disclosure of unique C2 items. Where appropriate asset identification is enabled, identifying odd network traffic to new, unusual remote resources can further enable defenders to catch and categorize potentially malicious activity. Identifying unusual traffic based on User Agent strings when visible — such as a PowerShell-based User Agent string retrieving an executable file based on file MIME type or extension, as seen in the initial CVE-2022-30190 example — can further enhance visibility into insecure or undesirable network behaviors.

Overall, a variety of options remain available to network defenders even if the actual exploitation of a new, potentially unknown (or "zero-day") vulnerability takes place. Understanding one's own network and its characteristics combined with sufficient visibility into network and host behaviors allows defenders to ask (and answer) questions concerning activities of interest to flag the necessary preconditions and follow-on actions adhering to vulnerability exploitation. While not necessarily easy in all cases, proper investment in resources and people will allow organizations to achieve a redundant security posture capable of catching zero-day exploitation, supply chain intrusions, or state-sponsored attacks.

**Conclusion**

Software and application vulnerabilities are a continuous and ongoing problem in the information security space. CVE-2022-30190 represents just another example of such vulnerabilities that have the potential to facilitate adversary operations. While organizations should perform proper risk analysis and patch as soon as practical once there's a fix for this vulnerability, defenders are not lost prior to release.

Instead, by understanding how adversaries leverage exploits as part of the intrusion life cycle, defenders and network owners can structure detections and defense so that they are agnostic to specific vulnerabilities. Rather than continuously chasing specific weaknesses as they appear over time, such as specific defenses around CVE-2022-30190 weaponization, defenders can structure operations to look for necessary precursors to exploit development (reconnaissance, delivery) or required follow-on actions to achieve objectives (C2, lateral movement).

In building defense and response this way — focused on core behaviors and adversary dependencies — defenders can build a more sustainable security posture that can adapt to future, yet-to-be-discovered vulnerabilities along with current, known tradecraft. Through layering behavior-based detections along with patching, signatures, and other items, defenders can achieve the requisite defense-in-depth necessary to adapt to a dynamic threat environment, without relying on single-point-of-failure defenses easily evaded by capable adversaries.

Fighting Follina: Application Vulnerabilities and Detection Possibilities

Industry-first report finds zero trust segmentation eliminates 5 cyber disasters per year and saves $20+ million annually.

**Sunnyvale, CA — June 1, 2022 —**  Illumio, Inc., the Zero Trust Segmentation company, today released The Zero Trust Impact Report, the industry’s first research on market perspectives of Zero Trust strategies and the business impact of Segmentation technology. Conducted by The Enterprise Strategy Group (ESG), which surveyed 1,000 IT and security professionals in eight countries, the report discovered that 47 percent of security leaders do not believe they will be breached despite increasingly sophisticated and frequent attacks, broad adoption of Zero Trust technologies, and the proven business and security impact of Zero Trust Segmentation, which isolates workloads and devices across the hybrid attack surface to stop breaches from spreading. Key findings include:

*   **Severity and Frequency of Attacks Are Still Rising:** In the past two years alone, more than three-quarters of organizations surveyed (76 percent) have been attacked by ransomware and two-thirds (66 percent) have experienced at least one software supply chain attack. More than half (52 percent) believe cyberattacks will result in catastrophic breaches.
*   **Zero Trust is Now the Standard:** 90 percent state that advancing Zero Trust strategies is one of their top three security priorities this year as a way to improve cyber resiliency and reduce the rising threat of attacks turning into disasters.
*   **Segmentation is a Critical Pillar of Every Zero Trust Strategy:** 75 percent of segmentation pioneers, those who are classified as advanced users, believe purpose-built segmentation tools are critical to Zero Trust and 81 percent say segmentation is an important technology to Zero Trust.
*   **Zero Trust Segmentation Has a Quantifiable Business Impact:** Organizations that have adopted Zero Trust Segmentation as part of their Zero Trust strategy save an average of $20.1 million in application downtime, avert 5 cyber disasters per year, and plan to accelerate 14 more digital and cloud transformation projects over the next year.

“Catastrophic breaches keep happening despite another year of record cybersecurity spending. Money will not make the problem go away until security leaders move beyond the legacy approach to only focus on detection and perimeter protection,” said PJ Kirner, Illumio co-founder and CTO. “I’m shocked that nearly half of those surveyed in The Zero Trust Impact Report do not think a breach is inevitable, which is the guiding principle for Zero Trust, but I am encouraged by the hard business returns Zero Trust and Segmentation deliver. Zero Trust Segmentation is emerging as a true market category that is transforming business operations and strengthening cyber resiliency.”

**Attacks Abound in a Hyperconnected World**

Hyperconnectivity created by digital transformation has expanded the attack surface and exposed organizations to risks never faced before. While respondents have significant concerns about many attack types, supply chain, zero-day, and ransomware attacks top the list.

*   Respondents say software supply chain attacks (48 percent), zero-day exploits (46 percent) and ransomware attacks (44 percent) are the three threats that keep them up at night.
*   More than one-third of respondents (36 percent) have been the victims of a successful ransomware attack over the past two years.
*   82 percent of respondents who were victims of a successful attack paid a ransom (42 percent paid ransom directly; 40 percent paid via cyber insurance) with the average ransom netting $495,000.

**Organizations Must Assume Breach and Adopt Zero Trust**

A Zero Trust approach, rooted in an assume breach mindset, is the modern strategy to reduce risk and increase cyber resiliency. 52 percent of security teams believe that their organization is ill-prepared to withstand the cyberattacks to come (22 percent say a breach would “definitely” result in business disaster; 30 percent say it “probably” would be a disaster), but Zero Trust adoption is rising fast:

*   Nine in ten (90 percent) report Zero Trust is one of their top three cybersecurity priorities, and 33 percent say Zero Trust is their top cybersecurity priority.
*   39 percent of all security spending over the next 12 months is earmarked to advance Zero Trust initiatives.
*   Segmentation pioneers are nearly twice as likely to be able to stop breaches from spreading than peers who do not fully utilize segmentation (81 percent vs. 45 percent).  
    

A whopping 96 percent of buyers prefer technologies with best-of-breed capabilities as opposed to broad platforms. 75 percent of segmentation pioneers believe purpose-built segmentation tools are critical to Zero Trust.

**You Cannot Achieve Zero Trust without Zero Trust Segmentation**

Zero Trust Segmentation is a modern approach to stop breaches from spreading across hybrid IT, from the cloud to the data center. Today, a vast majority of respondents consider Zero Trust Segmentation essential to any successful Zero Trust initiative (81 percent), and the report found that segmentation pioneers:

*   Are 2.7X more likely to have highly effective attack response processes.
*   Are 2.1X more likely to have avoided a critical outage during an attack over the last 24 months.
*   Save $20.1M in annual cost of downtime.
*   Are able to free up 39 person-hours per week.
*   Avert 5 cyber disasters annually.
*   Are accelerating digital transformation for competitive advantage with 14 more digital and cloud transformation projects planned over the next 12 months.

For more information, download a copy of The Zero Trust Impact Report.

**Research Methodology**

In February 2022, Illumio commissioned ESG to conduct a 1,000-person global study on the current state of Zero Trust strategies and the impact of segmentation. The findings incorporate sentiment from senior information security and IT professionals across North America, Europe, Asia Pacific, and Japan.

**About Illumio**  

Illumio, the Zero Trust Segmentation company, prevents breaches from spreading and turning into cyber disasters. Illumio protects critical applications and valuable digital assets with proven segmentation technology purpose-built for the Zero Trust security model. Illumio ransomware mitigation and segmentation solutions see risk, isolate attacks, and secure data across cloud-native apps, hybrid and multi-clouds, data centers, and endpoints, enabling the world’s leading organizations to strengthen their cyber resiliency and reduce risk.

Zero Trust Research Reveals Nearly Half of All Security Leaders Do Not Believe They Will Be Breached Despite Increasing Attacks and Adoption of Zero Trust Strategies

FAQ for the new Follina zero-day vulnerability. What you can do to protect your computers right now.
The post FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day appeared first on Malwarebytes Labs.

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 for a zero-day remote code vulnerability, ‘Follina’, already being exploited in the wild via malicious Word documents.

_**Q: What exactly is Follina?**_

A: Follina is the nickname given to a new vulnerability discovered as a zero-day and identified as CVE-2022-30190. In technical terms it is a Remote Code Execution Vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

_**Q: But what does it mean, and is this a serious vulnerability?**_

A: An attacker can send you a malicious Office document that will compromise your machine with malware when you open it. It is serious since it is already actively being exploited in the wild and doesn’t require users to enable macros.

**_Q: What is Microsoft doing about it?_**

A: Microsoft has offered mitigation steps that disable the MSDT URL Protocol. However, users should proceed with caution because of possible conflicts and crashes with existing applications.

_**Q: Does Malwarebytes protect against Follina?**_

A: Yes, it does. Please see additional steps below based on your product to ensure you are protected.

**How to add protection with Malwarebytes**

We are working on releasing a new version of Anti-Exploit that won’t require adding new shields and will provide more holistic protection. For immediate mitigation, please follow the instructions below.

**Malwarebytes Premium (Consumer)**

Follow the instructions below to add sdiagnhost.exe as a new protected application.

**Malwarebytes Nebula (Enterprise)**

Follow the instructions below to add sdiagnhost.exe as a new protected application.

FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day

By Waqas
The Follina vulnerability was originally discovered after a malicious Microsoft Word document was uploaded on VirusTotal from a…
This is a post from HackRead.com Read the original post: Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

The Follina vulnerability was originally discovered after a malicious Microsoft Word document was uploaded on VirusTotal from a Belarus IP address.

On Thursday, May 30th, Hackread.com warned against the probability of a dangerous Microsoft zero-day flaw dubbed Follina being exploited in the wild. According to the latest reports, Chinese hackers have already started using it.

**What is Follina?**

Follina is a Microsoft Office flaw tracked as CVE-2022-30190. This vulnerability was discovered in May 2022 by researcher Kevin Beaumont in Microsoft Support Diagnostic Tool (MSDT).

According to the researcher, the exploit is activated when the victim opens a malicious document. The Protected View feature, as we know it, is designed to protect users from opening infected files. But, in the case of Follina, the file preview appears in Explorer, and Protected View is not triggered while the exploit is executed.

Threat actors can exploit this vulnerability to gain privilege escalation on a system and gain “god mode” access to the impacted system. Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021 were impacted by the flaw.

**Chinese APT Group Exploiting Follina**

It seems like this newly identified zero-day already has registered its first exploiters. It is suspected that the exploitation of Follina started in April 2022 with Russian and Indian users becoming the prime targets of interview requests, extortions, and other attacks.

The latest information is shared by Proofpoint, which claims that a threat actor identified as TA413 has exploited this flaw in its attacks targeting the Tibetan community. This actor was previously associated with China and had been attacking Tibetan entities for several years.

In one of its attacks in 2021, the group was caught using a malicious Firefox extension to phish Gmail credentials to spy on Tibetan activists. In the latest, the group used Central Tibetan Administration’s Women Empowerment Desk as a lure in the attacks involving Follina.

> “TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique.”
> 
> Proofpoint researchers on Twitter

Furthermore, the SANS Institute detected a document exploiting Follina to deliver malware. The file was written in Chinese, and its translation read: “Mobile phone room to receive orders – channel quotation – the lowest price on the whole network.”

Screenshot of a blog post titled “First Exploitation of Follina Seen in the Wild” on the SANS website published by Xavier Mertens, a freelance security consultant based in Belgium

MalwareHunterTeam has also discovered .docx files bearing Chinese filenames and installing infostealers through coolratxyz. The HTML file is full of junk for obfuscation purposes while it contains a script that downloads/executes the payload.

**Free Micropatches for the “Follina” by 0Patch**

0Patch, a Maribor, Slovenia-based IT security firm has issued free but unofficial micropatches addressing the Follina vulnerability. For more details on “How To” implement these micropatches head to the blog post published by 0Patch’s Mitja Kolsek.

Furthermore, the company has also released a YouTube video demonstrating how its micropatch detects and blocks attempts at exploiting the “Follina” 0day.

Meanwhile, CISA (Cybersecurity and Infrastructure Security Agency) is advising users to follow the “Workaround Guidance” for the Follina vulnerability issued by Microsoft on May 30, 2022.

**Microsoft Knew About the Flaw in April!**

Interestingly, Microsoft has been aware of the flaw since April, but a patch has not arrived. Reportedly, the tech giant was notified by a Shadow Chaser Group member. It is a team that focuses on APT inspection and detection.

Microsoft claims that the researcher who warned the organization about the flaw didn’t consider it a security-related problem. However, they had already seen a sample being exploited in the wild.

On May 27th, researcher Kevin Beaumont shared details of the vulnerability in his blog post after which the company assigned it a CVE and issued mitigation guidance until the arrival of official patches.

**More Microsoft Security News**

*   Hackers are using Microsoft Teams chat to spread malware
*   Malicious Office documents make up 43% of all malware downloads
*   Attackers bypass Microsoft security patch to drop Formbook malware
*   Google, Microsoft, and Oracle generated the most vulnerabilities in 2021
*   Google Drive accounted for 50% of malicious Office document downloads

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system.

Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, the full details of which are available below.

The most direct workaround is to disable the MSDT URL protocol by launching the command prompt as administrator and running the following commands:

*   To back up the existing registry values, run "reg export HKEY\_CLASSES\_ROOT\\ms-msdt filename" where filename is the name of the backup you will be creating.
*   To implement the workaround, run "reg delete HKEY\_CLASSES\_ROOT\\ms-msdt /f"
*   To undo the work around, run "reg import filename" where filename is the name assigned in the steps above.

**Ongoing exploitation**

Cisco Talos is aware of ongoing exploitation in the wild, so users are encouraged to test and implement the workaround as quickly as possible to mitigate risk.

An example of a maldoc exploiting this vulnerability consists of configuring the external references of the maldoc to point to the exploit payload, which, in this case, is written inHTML.

The HTML hosted on the remote location contains the actual exploit.

Using the ms-msdt schema and troubleshooting package "PCWDiagnostic," the attacker can launch arbitrary code on the infected endpoint.

  
**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following ClamAV signatures are available to detect malware related to this threat:

**Win.Exploit.CVE\_2022\_30190-9951234-1**

**IOCs****Hashes**

4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784  
8e986c906d0c6213f80d0224833913fa14bc4c15c047766a62f6329bfc0639bd  
fe300467c2714f4962d814a34f8ee631a51e8255b9c07106d44c6a1f1eda7a45  
710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfa  
d61d70a4d4c417560652542e54486beb37edce014e34a94b8fd0020796ff1ef7

**Malicious URLs**

hxxps\[://\]www\[.\]xmlformats\[.\]com/office/word/2022/wordprocessingDrawing/RDF842l\[.\]html  
hxxps\[://\]www\[.\]sputnikradio\[.\]net/radio/news/3134\[.\]html  
hxxps\[://\]exchange\[.\]oufca\[.\]com\[.\]au/owa/auth/15\[.\]1\[.\]2375/themes/p3azx\[.\]html

Threat Advisory: Zero-day vulnerability in Microsoft diagnostic tool MSDT could lead to code execution

CSRF exploit requires user to open malicious email

CSRF exploit requires user to open malicious email

A zero-day vulnerability in Horde Webmail enables attackers to take over the web server and pivot to compromising an organization’s other services, according to security researchers.

Documented by Swiss security firm Sonar (formerly SonarSource), the flaw’s abuse relies on an authenticated user of the targeted instance opening a malicious email sent by the attacker.

If they do so, they inadvertently trigger the exploit by executing arbitrary code on the underlying server.

**Abandonware**

A patch for the remote code execution (RCE) vulnerability in the open source platform may never surface given that the current version, which contains the flaw, has been flagged by the maintainers as the final release.

Sonar researchers have therefore advised users to abandon Horde Webmail.

Catch up on the latest cybersecurity research

Johannes Dahse, head of R&D at Sonar, said that a Shodan search had revealed more than 3,000 exposed Horde instances worldwide.

“Furthermore, it is integrated into cPanel,” he told The Daily Swig. “As webmail software does not need to be exposed to the internet, we believe that there are even more, internal instances. These instances can still be exploited as long as the email server of an organization is exposed.”

Horde Webmail, which is part of the Horde groupware, provides a browser-based email client and a server that acts as a proxy to the organization’s email server.

By compromising webmail servers, attackers “can intercept every sent and received email, access password-reset links, sensitive documents, impersonate personnel and steal all credentials of users logging into the webmail service,” according to a Sonar blog post by Simon Scannell, vulnerability researcher at Sonar.

**CSRF**

The Horde Webmail vulnerability (CVE-2022-30287) can be abused with a single request, which brings cross-site request forgery (CSRF) into play. “As a result, an attacker can craft a malicious email and include an external image that when rendered exploits the CSRF vulnerability,” Scannell explained.

Worse still, the victim’s clear-text credentials are also leaked to the attacker, potentially giving the adversary access to additional services used by the target organization – as demonstrated in the proof-of-concept video below.

The vulnerability exists in Horde Webmail’s default configuration and potentially lends itself to mass-exploitation, Sonar warns.

It alerted maintainers to the issue on February 2 and disclosed the flaw today (June 1), having notified the maintainers on May 3 that the 90-day disclosure deadline had passed.

Nevertheless, on March 2 Horde released a fix for a separate issue reported previously by Sonar and acknowledged the latest vulnerability report, according to Sonar.

**Salutary lesson**

The researchers point towards a lesson offered by the vulnerability, noting that it exists in PHP code, which typically uses dynamic types.

“In this case, a security sensitive branch was entered if a user-controlled variable was of the type array,” Scannell said. “We highly discourage developers from making security decisions based on the type of a variable, as it is often easy to miss language-specific quirks.”

Sonar last year documented a chained exploit in another open source webmail platform, Zimbra, that allowed unauthenticated attackers to gain control of Zimbra servers.

YOU MIGHT ALSO LIKE Patch released for cross-domain cookie leakage flaw in Guzzle

Horde Webmail contains zero-day RCE bug with no patch on the horizon

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Microsoft has released a workaround for a zero-day flaw that was initially flagged in April and that attackers already have used to target organizations in Russia and Tibet, researchers said.

The remote control execution (RCE) flaw, tracked as CVE-2022-3019, is associated with the Microsoft Support Diagnostic Tool (MSDT), which, ironically, itself collects information about bugs in the company’s products and reports to Microsoft Support.

If successfully exploited, attackers can install programs, view, change or delete data, or create new accounts in the context allowed by the user’s rights, the company said.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” Microsoft explained in its guidance on the Microsoft Security Response Center. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.”

Microsoft’s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from Shadow Chaser Group noticed it on April 12 in a bachelor’s thesis from August 2020—with attackers apparently targeting Russian users–and reported to Microsoft on April 21, according to research firm Recorded Future’s The Record.

A Malwarebytes Threat Intelligence analyst also spotted the flaw back in April but could not fully identify it, the company said in a post on Twitter over the weekend, retweeting the original post about the vulnerability, also made on April 12, from @h2jazi.

When the flaw was reported, Microsoft didn’t consider it an issue. It’s clear now that the company was wrong, and the vulnerability again raised the attention of researchers at  Japanese security vendor Nao Sec, who tweeted a fresh warning about it over the weekend, noting that it was being used to target users in Belarus.

In analysis over the weekend noted security researcher Kevin Beaumont dubbed the vulnerability “Follina,” explaining the zero-day code references the Italy-based area code of Follina – 0438.

****Current Workaround****

While no patch yet exists for the flaw, Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This “prevents troubleshooters being launched as links including links throughout the operating system,” the company wrote in their advisory.

To do this, users must follow these steps: Run “:**Command Prompt** **as Administrator****“**; Back up the registry key by executing the command “reg export HKEY\_CLASSES\_ROOT\\ms-msdt _filename_“; and execute the command “reg delete HKEY\_CLASSES\_ROOT\\ms-msdt /f”.

“Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters,” the company said.

Moreover, if the calling application is an Office app then by default, Office opens the document from the internet in Protected View and Application Guard for Office, “both of which prevent the current attack,” Microsoft said. However, Beaumont refuted that assurance in his analysis of the bug.

Microsoft also plans to update CVE-2022-3019 with further information but did not specify when it would do so, according to the advisory.

****Significant Risk****

In the meantime, the unpatched flaw poses a significant risk for a number of reasons, Beaumont and other researchers noted.

One is that it affects such a wide swathe of users, given that it exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus.

“Every organization that is dealing with content, files and in particular Office documents, which is basically everyone in the globe, is currently exposed to this threat,” Aviv Grafi, CTO and founder of security firm Votiro, wrote in an e-mail to Threatpost.

Another reason the flaw poses a major threat is its execution without action from end users, both Beaumont and Grafi said. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious payload, Grafi explained.

Since the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks, Beaumont said.

“What makes this vulnerability so difficult to avoid is the fact that the end user does not have to enable macros for the code to execute, making it a ‘zero-click’ remote code execution technique used through MSDT,” Grafi concurred.

****Under Active Attack****

Claire Tills, senior research engineer for security firm Tenable, compared the flaw to last year’s zero-click MSHTML bug**,** tracked as CVE-2021-40444, which was pummeled by attackers, including the Ryuk ransomware gang.

“Given the similarities between CVE-2022-30190 and CVE-2021-40444, and that researchers speculate other protocol handlers may also be vulnerable, we expect to see further developments and exploitation attempts of this issue,” she wrote in an e-mail to Threatpost.

Indeed, threat actors already have pounced on the vulnerability. On Monday, Proofpoint Threat Insight also tweeted that threat actors were using the flaw to target organizations in Tibet by impersonating the “Women Empowerments Desk” of the Central Tibetan Administration.

What’s more, the workaround that Microsoft currently offers itself has issues and won’t provide much of a fix in the long-term, especially with the bug under attack, Grafi said. He said the workaround is”not friendly for admins” because it involves “changes in the Registry of the end user’s endpoints.”

Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack

An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems.
"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in

An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems.

"TA413 CN APT spotted \[in-the-wild\] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in a tweet.

"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web\[.\]app."

TA413 is best known for its campaigns aimed at the Tibetan diaspora to deliver implants such as Exile RAT and Sepulcher as well as a rogue Firefox browser extension dubbed FriarFox.

The high-severity security flaw, dubbed Follina and tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that abuses the "ms-msdt:" protocol URI scheme to execute arbitrary code.

Specifically, the attack makes it possible for threat actors to circumvent Protected View safeguards for suspicious files by simply changing the document to a Rich Text Format (RTF) file, thereby allowing the injected code to be run without even opening the document via the Preview Pane in Windows File Explorer.

While the bug gained widespread attention last week, evidence points to the active exploitation of the diagnostic tool flaw in real-world attacks targeting Russian users over a month ago on April 12, 2022, when it was disclosed to Microsoft.

The company, however, did not deem it a security issue and closed the vulnerability submission report, citing reasons that the MSDT utility required a passkey provided by a support technician before it can execute payloads.

The vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions Office 2013 through Office 21 and Office Professional Plus editions.

"This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office's remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros," Malwarebytes' Jerome Segura noted.

Although there is no official patch available at this point, Microsoft has recommended disabling the MSDT URL protocol to prevent the attack vector. Additionally, it's been advised to turn off the Preview Pane in File Explorer.

"What makes 'Follina' stand out is that this exploit does not take advantage of Office macros and, therefore, it works even in environments where macros have been disabled entirely," Nikolas Cemerikic of Immersive Labs said.

"All that's required for the exploit to take effect is for a user to open and view the Word document, or to view a preview of the document using the Windows Explorer Preview Pane. Since the latter does not require Word to launch fully, this effectively becomes a zero-click attack."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability

"Follina" vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.

Attackers are actively exploiting an unpatched and easy-to-exploit flaw in the Microsoft Support Diagnostic Tool (MSDT) in Windows that allows for remote code execution from Office documents even when macros are disabled.

The vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus, according to security researchers that have analyzed the issue.

Attackers can exploit the zero-day flaw — dubbed "Follina" — to remotely execute arbitrary code on Windows systems. Microsoft has warned of the issue giving attackers a way to "install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights." Researchers have reported observing attacks exploiting the flaw in India and Russia going back at least one month.

**Delayed Acknowledgement?**

Microsoft on Monday assigned the flaw a CVE identifier — CVE-2022-30190 — after apparently initially describing it as a non-security issue in April when crazyman, a security researcher with APT threat hunting group Shadow Chaser Group, first reported observing a public exploit of the vulnerability. Though the company's advisory described the flaw as being publicly known and actively exploited, it did not describe the issue as a zero-day threat.

In a May 30 blog post, Microsoft recommended that organizations disable the MSDT URL protocol to mitigate the issue and said it would provide more updates later without specifying when. Microsoft said the Protected View feature in Microsoft Office and the Application Guard for Office both would prevent attacks that try to exploit the flaw.

Microsoft did not respond to a Dark Reading query on whether it had initially described the issue as a non-security issue or when it might have first learned of the flaw. Instead, a spokeswoman pointed to Microsoft's Monday advisory as the only comment the company has on the issue at this time.

MSDT is a Windows support tool that collects and sends data from a user's system to Microsoft support staff so they can analyze and diagnose issues that a user might be encountering on their system. According to Microsoft, the vulnerability is triggered when an Office app like Word calls MSDT using the URL protocol. "An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," the company noted.

**Multiple Exploits in the Wild**

Though the security researcher with the Shadow Chaser Group first notified Microsoft Security Response Center about the bug more than a month ago, the vuln only received broad attention over the weekend when a researcher spotted a malicious Word document attempting to exploit the issue. Security researcher Kevin Beaumont analyzed the document and found that it was using the remote template feature in Word to retrieve a HTML file from a remote Web server. The retrieved file in turn used the MS-MSDT URL protocol to load code for executing a PowerShell script. Beaumont discovered the document was executing code even with macros disabled. The security researcher found at least two other malicious Word documents in the wild attempting to exploit Follina going back to April.

Significantly, Beaumont and other researchers found that the attack technique allowed threat actors a way to bypass the "Protected View" mechanism in Office that alerts users about content downloaded from the Internet and requires an additional click from them to open. According to Malwarebytes, the warning can be bypassed simply by changing the document to a Rich Text Format (RTF) file. By doing so, code can run without the user even needed to open the document via the preview tab in Explorer, Malwarebytes said.

"RTF files are a special format that allows for documents to be previewed inside of Windows Explorer," says Jerome Segura, senior director of threat intelligence at Malwarebytes. "When that happens, Explorer will call out the msdt process which is being exploited without any warning or prompts," he says. In fact, the Preview pane is a risky feature because it enables zero-click attacks, Segura says. "We recommend users to disable it within Explorer as well as email clients like Outlook."

**Potentially Widespread Impact**

Johannes Ullrich, dean of research at the SANS Institute, says by itself the vulnerability in MSDT wouldn’t be a big deal. But the fact that it can be triggered via Microsoft Office is troubling. All that a user needs to do is to open a specially crafted Word document, or in some cases just previewing it to enable remote code execution, he says. This sets the stage for potentially widespread compromises especially considering that numerous exploits have been available in the wild for a month now.

"There are multiple scripts, examples and tutorials explaining how to exploit this vulnerability. Applying these techniques is easy, Ullrich says. He points to one malicious document to exploit Follina that SANS discovered recently, which purported to contain quotes for mobile phone prices from a reseller. The exploit worked though it appears to have been compiled by a relatively unskilled threat actor. "It appears to have been created by a novice attacker as it doesn't even remove some of the comments added to the malicious document," Ullrich says.  

He recommends that organizations immediately follow Microsoft's guidance and disable the MSDT URL protocol. "This will break the link between Office and the diagnostic tool," he says. Though the vulnerability in MSDT will still be present, it can no longer be triggered when opening a malicious document, he says. SANS recommends that organizations disable the Preview Pane in Windows Explorer.

Dray Agha, ThreatOps analyst at Huntress, which did a deep dive on the vulnerability, says attackers can use Follina to escalate privileges and travel across environments to create havoc. "Hackers can go from being a low-privilege user to an admin extremely easily," Agha says. "The vulnerability can be easily triggered by users simply choosing to “preview” a specifically crafted, maliciously supplied document. It’s that simple."

Tag

#zero_day