Thanks!
Your application is accepted.
We will contact you shortly to clarify the details.
Oleksandr Sharuiev
moc.hcetokab%40veiurahs.rdnaskelo
Follina, a vulnerability in the Microsoft Support Diagnostic Tool, has become widely known in recent months. Most workstations use Windows as their operating system, and almost all have MS Office installed. Thus, they jeopardise their sensitive data as these workstations are all under serious threat.
In this article, we will take a closer look at the CVE-2022-30190 vulnerability, consider why it is dangerous, and how to protect against it with Trellix solutions.
Brief information
On May 27, 2022, researchers at nao_sec tweeted about an intriguing document they found on VirusTotal. It was downloaded from a Belarusian IP address and intended to exploit an unknown vulnerability. The document works as follows: it pulls up an HTML file that calls the Troubleshooter (MSDT) to download the payload and execute it through PowerShell. Microsoft Support Diagnostic Tool (MSDT) is used to detect errors in the system, but in this case, it itself contains a critical error.
Follina does not require any particular interaction with the user, which is its primary danger. For operation, it is enough to open the document and, in some modifications, even view it in explorer. Also, the exploit does not contain macros and does not cause unnecessary warnings, which allows you to execute malicious code in the background secretly. In addition, msdt.exe is a signed binary file that allows malicious code to bypass basic Windows scans.
As a result, the attacker gets the opportunity to execute any PowerShell command, that is, to do almost anything, limited only by his privilege level and imagination.
Follina in action
What a marvellous wallpaper!
First, let's consider the case when an attacker needs to change the background image on the victim's system.
Let's create a malicious document. Running it will execute the wallpaper.ps1 PowerShell script from the remote web server.
When executed, wallpaper.ps1 will change the desktop's background image and pop up a window with the user's message. The script looks like this:
Next, the malicious document must be delivered to the target system and wait for the user to open it.
After the document is launched, the victim's screen displays the process of diagnosing problems, but, in fact, it is the script prepared by the attacker executed. The whole process of working out the exploit is shown in the video.
After the document is delivered and opened, system troubleshooting begins, and a malicious script runs in the background. It downloads the netcat utility and then uses it to connect to the hacker's server.
Protection methods
After discovering the Follina vulnerability at the end of May, it took Microsoft more than two weeks to fix it. As a result, most Windows-based systems were at risk, and the only way to protect them was to use security systems from other vendors. In turn, Trellix solutions, already in the early days, identified and blocked any attempts to exploit this vulnerability.
The exploitation of CVE-2022-30190 can be found at both the workstation and network levels. Trellix lets you simultaneously detect a threat at both levels, increasing protection effectiveness. Let's look at a few critical solutions.
Trellix Endpoint Security
Trellix Endpoint Security (ENS) is a solution for protecting workstations from a wide variety of threats, which has the functionality of both signature and behavioural analysis. It can identify known threats at high speed and, in the case of using defence evasion techniques, detect them by suspicious activity.
After installing Trellix ENS on a workstation, a second attempt was made to exploit this vulnerability. Signature analysis cleared the document immediately after loading it, and behavioural analysis eliminated the threat at the startup.
In addition, Trellix ENS has a distinct feature for protection against exploiting vulnerabilities – Exploit Prevention. The detection is based on a set of rules that the vendor constantly updates. You can also create your own exploit detection rules specific to each organisation.
A malicious document can be assigned a unique hash and the payload obfuscated, but, one way or another, the document will have to resort to a troubleshooting process to exploit CVE-2022-30190. To track this action, let's create a rule that will control the access of Microsoft Word, Excel and Outlook to msdt.exe.
To create your own rule in the expanded Exploit Prevention policy display, you must click "Add Expert Rule".
In the rule editor, give it a name and importance, and then select the protection object – in our case, it is "Processes". The rule looks like this:
Rule {Process {Include OBJECT_NAME { -v "WINWORD.exe" }Include OBJECT_NAME { -v "EXCEL.exe" }Include OBJECT_NAME { -v "OUTLOOK.exe"}}Target {Match PROCESS {Include OBJECT_NAME { -v "msdt.exe" }
Include -access "CREATE"}}}
After creating the rule, we will try to exploit the vulnerability again. Now nothing extra happens when a malicious document is launched. If you look at the Trellix ENS log, you can see the triggering of our rule, the source and target process, and the exploit line in plain text.
In addition to tracking processes, Exploit Prevention allows you to create rules to control actions with files, services, registry keys, API usage, and buffer overflow attempts.
Creating rules may seem like a rather complicated process, but the possibilities provided by Exploit Prevention are worth the time to study documentation.
Trellix MVISION EDR
Trellix Endpoint Security is an essential solution for protecting workstations. It blocks about 80% of both known and unknown threats. Trellix MVISION EDR allows you to increase the level of protection, which conducts a continuous analysis of the state of workstations and analyses each event on them. Starting services, creating files and changing registry keys will be carefully examined and transferred to the security analyst if a threat is detected.
To test MVISION EDR, an attempt was made to exploit it and then obtain a command shell. Approximately one minute later, EDR generated two incidents: one for an exploit attempt and the second for actions after receiving a command shell.
EDR calculates a hash for each suspicious file, compares process actions with MITR E ATT&CK techniques, and classifies malicious activities using its own method. It reveals the reason for the file's distrust and helps to conduct a better investigation.
In the first case, EDR discovered Indirect Code Execution techniques and detection evasion since a trusted signed executable is used for exploitation. Also, using Trellix EDR, you can see the order of starting processes and executing commands: for example, similarly to Exploit Prevention, we see the original exploit line.
In the second incident, Trellix EDR detected a malicious network connection and captured every step the attacker had made. The report shows that the ping, whoami, systeminfo, nslookup, and ipconfig utilities were run, indicating thorough reconnaissance. Trellix MVISION EDR could also detect the attacker's IP address and the network port listening on the connection. It made it possible to quickly block malicious network connections and protect other systems from infection.
In addition, with Trellix MVISION EDR, you can search for files with a specific name or hash and then delete them, quarantine the infected workstation, and perform automatic investigations. Look for more in the following articles.
Trellix Network Security Platform
Trellix successfully detects and blocks attempts to exploit vulnerabilities at the workstation level, but its capabilities are not limited. For more reliable protection, it is necessary to ensure the identification of one threat by the maximum number of various security tools. The next obstacle in Follina's way will be the Trellix Network Security Platform (NSP). This IDS/IPS-class system provides network visibility and protection against network intrusions, DDOS attacks and malware.
Immediately after attempting to exploit CVE-2022-30190, NSP began to generate a critical warning about a detected threat. You can immediately see the attacker's IP address and the attack's victim on the main dashboard. In addition, Trellix NSP allows you to download malicious network packets for deeper study, for example, in Wireshark.
Diving into the incident, you can see by what parameters IPS detected the threat and details about the 7th layer of the OSI model. It is worth noting that Follina detection is based on signatures, which may not be effective in the early days of a threat. However, Trellix issued a rule almost immediately to mitigate this threat.
For each detection in the Trellix NSP, a brief description of the threat is given to understand its severity and possible consequences better. For more detailed information, a link to additional sources is attached to each rule.
Summing up, the Trellix Network Security Platform is a powerful and multifunctional IDS/IPS, and even five similar articles will not be enough to describe its capabilities. But most importantly, only a minimal system setup is required to get decent results.
Conclusions
CVE-2022-30190, codenamed Follina, is a serious security threat for both ordinary users and large organisations.
To effectively counter such threats, it is necessary to implement solutions from trusted vendors that will allow you to identify new threats as soon as possible.
Trellix is an excellent example of a reliable vendor. All its solutions are maximally integrated and demonstrate high efficiency. With Trellix, users and businesses can provide end-to-end infrastructure protection and prevent incidents.
Useful links
● MS-MSDT "Follina" Attack Vector
● 'Follina' MS-MSDT n-day Microsoft Office RCE
● Документація з продуктів Trellix
● Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
● Qbot malware now uses Windows MSDT zero-day in phishing attacks
● Exfiltrating Data With Bookmarks