0-Day Exploit Notification - Microsoft Office RCE – “Follina” MSDT Attack

Several researchers have come across a novel attack that circumvents Microsoft's Protected View and anti-malware detection.

Tekie Geek is keeping a close eye on a new developing zero-day, zero-click remote code execution (RCE) technique that uses MSDT (Microsoft Diagnostics Tool) and Microsoft Office utilities, most widely, Microsoft Word. Throughout the coming days, it is expected by security professionals that exploitation attempts in the wild will increase with the primary attack vector beingemail-base delivery.

The “Follina” exploit uses an exploit in the Microsoft Office suite to run a script that in its first iteration, is launching a hidden window to kill the msdt.exe tool if it is running, and launch a malware payload. This payload could be modified in the coming days to load up ransomware executables,remote control tools, or any other payloads that a hacker would like to load onto a PC.

Thanks to our security partner Huntress, there is some informationon early on mitigation efforts. While a patch is not yet released at the time of writing, you can still pursue mitigating efforts to limit your attack surface.

If utilizing Microsoft Defender’s Attack Surface Reduction(ASR) rules in your environment, activating the rule “Block all Offic eapplications from creating child processes” in Block mode will prevent this from being exploited. However, if you’re not yet using ASR you may wish to run the rule in Audit mode first and monitor the outcome to ensure there’s no adverse impact on end users.

Another option is to remove the file type association forms-msdt (can be done in Windows Registry HKCR:\ms-msdt or with KelvinTegelaar’s PowerShell snippet). When the malicious document is opened, Office will not be able to invoke ms-msdt thus preventing the malware from running. Be sure to make a backup of the registry settings before using this mitigation.

Here are the main non-technical takeaways from this zero-day exploit:

  • This is a zero-day attack that sprung up out of nowhere, and there’s currently no patch available at the time of this blog post writing.
  • This zero-day exploit features remote code execution, which means that once this code is detonated, threat actors can elevate their own privileges and potentially gain “god mode” access to the affected environment allowing for them to load any payload they choose, including ransomware, remote control, etc…
  • The current mitigations being recommended are messy workarounds that the industry hasn’t had time to study the impact of, however necessary to stay a step ahead of the hackers.
  • Detonating this malicious code is as simple as opening up a Word doc—in preview mode. This means that simply downloading the file and looking at the file in Windows Explorer could be enough for the payload to be delivered.

From the above, there is no reason to be panicked, however, be VIGILIANT! At this time, DO NOT download any Word documents either on the Internet or by email that you are not expecting. Over the upcoming weeks, we expect to see an increase in attacks by email, but you have the power as an end user of limiting how widespread this gets by simply practicing safe hygiene and only downloading documents that you are expecting.

Tekie Geek will continue to monitor this exploit and release further information as it becomes available. Also, for our Managed Service clients,we will be implementing any patches and/or mitigations deemed necessary to keep you safe as you have come to expect from the IT Superheroes!

Interested in Learning
More about Our Services?

Contact us to request a consultation.