Several researchers have come across a novel attack that circumvents Microsoft's Protected View and anti-malware detection.
Tekie Geek is keeping a close eye on a new developing zero-day, zero-click remote code execution (RCE) technique that uses MSDT (Microsoft Diagnostics Tool) and Microsoft Office utilities, most widely, Microsoft Word. Throughout the coming days, it is expected by security professionals that exploitation attempts in the wild will increase with the primary attack vector beingemail-base delivery.
The “Follina” exploit uses an exploit in the Microsoft Office suite to run a script that in its first iteration, is launching a hidden window to kill the msdt.exe tool if it is running, and launch a malware payload. This payload could be modified in the coming days to load up ransomware executables,remote control tools, or any other payloads that a hacker would like to load onto a PC.
Thanks to our security partner Huntress, there is some informationon early on mitigation efforts. While a patch is not yet released at the time of writing, you can still pursue mitigating efforts to limit your attack surface.
If utilizing Microsoft Defender’s Attack Surface Reduction(ASR) rules in your environment, activating the rule “Block all Offic eapplications from creating child processes” in Block mode will prevent this from being exploited. However, if you’re not yet using ASR you may wish to run the rule in Audit mode first and monitor the outcome to ensure there’s no adverse impact on end users.
Another option is to remove the file type association forms-msdt (can be done in Windows Registry HKCR:\ms-msdt or with KelvinTegelaar’s PowerShell snippet). When the malicious document is opened, Office will not be able to invoke ms-msdt thus preventing the malware from running. Be sure to make a backup of the registry settings before using this mitigation.
Here are the main non-technical takeaways from this zero-day exploit:
From the above, there is no reason to be panicked, however, be VIGILIANT! At this time, DO NOT download any Word documents either on the Internet or by email that you are not expecting. Over the upcoming weeks, we expect to see an increase in attacks by email, but you have the power as an end user of limiting how widespread this gets by simply practicing safe hygiene and only downloading documents that you are expecting.
Tekie Geek will continue to monitor this exploit and release further information as it becomes available. Also, for our Managed Service clients,we will be implementing any patches and/or mitigations deemed necessary to keep you safe as you have come to expect from the IT Superheroes!