By Dirk Schrader, Resident CISO (EMEA) and VP of Security Research, Netwrix
A new vulnerability in the Microsoft Office universe has been recently discovered. Let’s examine some details about it. How Microsoft Support Diagnostic Tool (MSDT) and other tools can be turned against organizations? What IT teams can do to prevent something bad from happening?
What is going on?
Freshly discovered CVE-2022-30190 vulnerability in MS Office provides attackers with a new way of hijacking organizations’ IT environments through endpoints. This exploit is likely to work on most Windows / MS Office installations, if they aren’t patched yet.
The attacker crafts a MS Word document that contains the malware code, sends it to someone’s business email address and uses common social engineering techniques to lure the recipient into opening it. Remember Log4Shell vulnerability discovered in December 2021, where the issue was about an uncontrolled way of executing a function in a function combined with the ability to call for external resources. This 0-day, initially named ‘Follina’, works in a similar way.
Word has a feature called ‘remote template’ which is misused to get a HTML file from a distant location. Once received, this HTML file uses a functionality in MSDT to execute an embedded payload, using Powershell script or other tools available on the target.
Windows built-in security tools are likely not to catch this activity.Standard hardening benchmarks don’t cover it either. Built-in defensive mechanism like Defender or common restrictions for the use of macros will not block this attack as well.
The exploit seems to be out in the wild for more than a month now, with various modifications as to what should be executed on the targeted system.
What is affected?
Microsoft lists 41 different product versions, from Windows 7 to Windows 11 and from Server 2008 to Server 2022. Known and proven as affected are Office, Office 2016, Office 2021 and Office 2022, regardless of the version of Windows they are running on. Patches have already been issued.
The bigger picture
Both this MSDT vulnerability and Log4Shell are trying to use documented functions against the victim, relying on the aspect that these are executed within the trusted space. APT groups will look for more of these ‘function in an function’ vulnerabilities. In the weeks after CVE-2022-30190 was published, some additional ways of exploiting similar functionality made the round.
Within the coming weeks, attackers will likely check for ways to weaponize this attack vector and use it in spear phishing campaigns. Cyber crooks will apparently combine this attack vector with other recent techniques (like one discovered in Japan) as well as with privilege escalation techniques to elevate from the current user’s context. Keeping in mind the possibility of this ‘combined’ tactic, IT pros should make sure that systems are closely monitored to detect breach activity.
What to do to ensure security?
For CVE-2022-30190, initial findings indicated that deleting a certain registry key will stop this exploit from working, but benchmarks like those from CIS and DIA STIG seem to not cover the needed setting as part of the hardening process. In the meantime, installing the patch should be on the priority list, if not done yet.
To detect suspicious activity related to this kind of attack vector, IT teams need to closely monitor changes within their organizations’ systems, especially in system folders, and timely spot unwanted processes or services started.
In Windows-based environments, another measure that can help prevent these types of attack is establishing a set of Windows group policies and PAM 2.0 measures that will lock down your systems so that the vector is prevented from executing that function in function or the user is confined and restricted in the privileges assigned.
About the Author
Dirk Schrader is Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.
Dirk can be reached on Twitter @DirkSchrader_ at www.netwrix.com