Symantec: More malware operators moving in to exploit Follina

Meanwhile Microsoft still hasn't patched the fatal flaw


While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

Then, this week, Proofpoint researchers detected another phishing campaign run by a group connected to the Qbot data-stealing and backdoor botnet that was using Follina to infect systems with its malware.

Now Symantec threat hunters say they also have detected other groups using the flaw to deliver payloads of malware. In one instance, the attackers are deploying the remote access trojan (RAT) AsyncRAT, which includes a valid digital signature. Other attackers are deploying information stealer malware as the payload onto a compromised system.

"Since the details of the vulnerability started surfacing online, attackers were quick to start taking advantage of the flaw to install their payloads," the researchers wrote in a blog post. "Symantec has observed attackers using a similar HTML file to that used in the initial attack. Multiple attackers are using a variety of payloads at the end of successful exploitation."

Follina is a RCE vulnerability in the Microsoft Support Diagnostic Tool (MSDT) that allows attackers to subvert the ms-msdt protocol handler process. Attackers can use a specially crafted Word document that loads a malicious HTML file through the application's remote template function, according to Symantec.

If exploited, the attacker can potentially perform such tasks as running arbitrary code, installing programs, viewing, changing or deleting data and creating new accounts. They also can load and execute PowerShell code within Windows and the vulnerability can additionally be exploited via the Rich Text Format (RTF) file format, the researchers wrote.

One of the problems is that attackers don't need to use macros, so they don't need to trick victims into enabling macros for the attack to work. The vulnerability is on all supported versions of Windows.

According to the Symantec researchers, when the AsyncRAT runs, it will check for analysis functions on the system and work to shut them down. It then collects information about the compromised system, such as hardware identification, the username, executed path and operating system information. The information is then sent to a command-and-control (C2) server and executes the commands from the C2 server on the infected machine.

The information stealer that is being deployed by some threat groups steals such information as cookies and saved login data from web browsers, including Microsoft Edge, Chrome and Firefox.

Threat hunters with cybersecurity vendor Kaspersky also have been tracking attacks using the Follina flaw, noting in a blog post this week that organizations in the US are particularly being targeted. Other countries under attack include Russia, Brazil and India, as well as some in Western Europe.

"We expect to see more Follina exploitation attempts to gain access to corporate resources, including for ransomware attacks and data breaches," they wrote. 

While bad actors are going hard to exploit the vulnerability, it has been known about since 2020, when an academic paper was published outlining the flaw. In April, the Shadow Chaser Group tweeted that it had reported its own take on the vulnerability to Microsoft. ®


Other stories you might like

  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading

Biting the hand that feeds IT © 1998–2022