Microsoft recently released the June 2022 update cumulatively to Windows which includes a fix for the notorious Follina vulnerability.
“Microsoft strongly suggests that users install updates in order to be 100% protected from this vulnerability. Customers who have their systems set up to automatically receive updates are not required to take any additional action,” Microsoft said in its announcement.
It was discovered through the expertise of cybersecurity professional Kevin Beaumont and dubbed “Follina” the vulnerability is based on a Windows tool named msdt.exe that is designed to run various troubleshooter programs on Windows.
The study found that if the user downloads an unarmed Word file it doesn’t require launching it. Just viewing it within Windows Explorer is enough for the tool to be misused (it must have to be an RTF file, however).
Follina is abused in the wild
Through the use of this tool utilizing this utility, attackers can tell the targeted endpoint(opens in a new tab) to open an HTML file, via an external URL.
The attackers have picked the XML formats.com domain, likely in an attempt to conceal behind the identical-looking but legitimate openxmlformats.org domain, which is commonly used in Word documents.
The HTML file contains a lot of “junk” that obscures the real reason behind it – the script downloads and executes a payload.
Microsoft’s fix does not stop Office from loading Windows protocol URI handlers in a timely manner and without user intervention, but it blocks PowerShell injection, making the attack unusable.
Since it was identified that the flaw and utilizing it by the public. The first to adopt it was, according to reports, Chinese threats backed by the state creating cyberattacks(opens in a new window) against the global Tibetan community.
“TA413 The CN APT has discovered ITW exploiting Follina’s 0Day by using URLs to distribute Zip Archives which contain Word Documents which employ the method,” cybersecurity researchers from Proofpoint announced just two weeks ago.
The company also discovered Follina was being used by a different threat agent, called TA570 to distribute Qbot as well, and NCC Group found it being misused through Black Basta, which is known as a ransomware organization.