Microsoft has confirmed a zero day vulnerability referred to as Follina that impacts Microsoft Office.
In a post on Monday, the Microsoft Security Response Center provided guidance on the Office vulnerability.
“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” said Microsoft in the post. “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Although there is no patch yet for the vulnerability, Microsoft has advised MSPs and IT administrators to disable the Microsoft Diagnostics Tool (MSDT) URL protocol.
Furthermore, Microsoft advised Customers with Microsoft Defender Antivirus to turn-on cloud-delivered protection and automatic sample submission. That enables artificial intelligence and machine learning “to quickly identify and stop new and unknown threats,” said Microsoft.
MSP threat researcher Huntress issued a “rapid response” to the Microsoft Office Follina attack on Monday. “Currently, there is no patch available, and we recommend cautioning your end users to be extra vigilant when opening up any attachments, particularly Word documents,” said Huntress in a threat post.
Huntress said the Office vulnerability is “pretty trivial” to reproduce and that it expects “cybercriminals to begin weaponizing” it for initial access immediately by sending emails with the malicious code.
“Huntress is keeping a close eye on the developing threat of a zero-click remote code execution technique used through MSDT (Microsoft Diagnostics Tool) and Microsoft Office utilities, namely Microsoft Word. Throughout the next coming days, we expect exploitation attempts in the wild through email-based delivery,” wrote Huntress Threat Researcher John Hammond in a post.
No patch available for Follina
The zero day attack “sprung up out of nowhere and there’s currently no patch available,” wrote Hammond. He said the zero day vulnerability features remote code execution, “which means that once this code is detonated, threat actors can elevate their own privileges and potentially gain “God Mode” access to the affected environment.”
MSPs using Microsoft Defender’s Attack Surface Reduction should activate the rule “Block all Office applications from creating child processes” in Block mode, wrote Hammond, which should prevent the zero day vulnerability from being exploited.
Another option, Hammond said, is to remove the file type association for the Microsoft Diagnostics Tool.
“The mitigations that are available are messy workaround that the industry hasn’t had time to study the impact of,” wrote Hammond. “They involve changing settings in the Windows Registry, which is serious business because an incorrect Registry entry could brick your machine.”
Jason Slagle, president of CNWR, a Toledo, Ohio, MSP, said his team has moved swiftly to remove the Microsoft Diagnostics Tool with Kelvin Tegelaar’s Powershell snippet. He expects a Microsoft patch for the vulnerability to be released quickly.
“This is bad,” said Slagle. “On a scale of one to ten this is an eight or a nine in terms of the threat to MSPs. This is just the nature of IT these days. Zero day vulnerabilities are just part of being an MSP.”
Slagle said it is not an accident that the zero day vulnerability took place during a holiday weekend. “Look at history, these kinds of attacks are more prevalent on holiday weekends,” he said.
Slagle said he expects the vulnerability to be used in phishing campaigns by attackers. “This is remote command execution,” he said. “This is how someone will get into a system and from there they can do whatever they want including launching ransomware.”
Access to backups key for MSPs
Danny Jenkins, CEO of application whitelisting and ringfencing software provider ThreatLocker, said the Follina threat allows an attacker to upload data to the internet or encrypt the user’s files if MSPs are not using ringfencing or whitelisting.
In most cases with good processes and backups MSPs would be able to avoid a ransomware scenario if they have access to backups. “This is not like a Kaseya type incident where all your clients get hit at once,” said Jenkins, referring to last year’s July 4th ransomware attack that impacted 800 to 1,500 MSPs and left 50 MSPs grappling with ransomware. “The chances are as an MSP you will experience this threat at some point.”
As soon as Microsoft issues a patch, MSPs should implement it immediately, said Jenkins. MSPs could also stop Microsoft Office from calling out to the internet, said Jenkins, or ringfence PowerShell so it can not make a call to the internet.
“The way this vulnerability works is when you open an Office document it calls the Microsoft diagnostic tool; the Microsoft disagnostics tools then calls PowerShell (a Microsoft task automation tool); PowerShell then goes out to the internet and downloads something malicious or runs a command to upload your files to the internet,” said Jenkins. “If you can stop Office from calling that command or PowerShell from going out to the internet it stops it.”