Researchers warned last weekend that a flaw in Microsoft's support diagnostic tool could be used to take control of target devices. Guidance was released on Monday. The United States Cybersecurity and Infrastructure Security Agency warned on Tuesday that Follina could be used to take control of an affected system. Even though Microsoft acknowledged that the flaw was being actively exploited by attackers in the wild, it wouldn't say when or if a patch would come. When asked about the patch yesterday, the company had no comment.
A Word document can be used to exploit the Follina vulnerability. The lure has a remote template that can allow an attacker to execute Powershell commands inside of Windows. Microsoft has not classified the bug as a zero-day vulnerability, even though researchers would describe it as one.
"After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers." While attackers have mainly been exploiting the flaw through malicious documents, researchers have discovered other methods as well, including the manipulation ofHTML content in network traffic.
The less documented methods by which the exploit can be triggered are troubling until patched. It is too easy for threat actors to exploit this vulnerability when the option is available.
There is a vulnerability in all supported versions of Windows that can be exploited. Microsoft proposes disabling a specific protocol within support diagnostic tool and using microsoft defender to monitor for and block exploitation
Given how easy it is to exploit the vulnerability and how much malicious activity is being detected, more action needs to be taken.
Michael Raggi is a staff threat researcher at Proofpoint who focuses on Chinese government-backed hackers. A Chinese actor sent a malicious URL in an email that impersonated the Central Tibetan Administration. Different actors are slotting in Follina-related files at different stages of their infections depending on their toolkit and tactics.
Russian, India, the Philippines, and Nepal are some of the countries where malicious documents have been seen. The flaw was first reported to Microsoft on April 21. Follina hacks are useful to attackers because they can stem from malicious documents without relying on Macros, a feature that Microsoft has worked to remove.
Proofpoint's vice president of threat research says that the company has identified a variety of actors using the Follina vulnerability.
The question is whether the guidance Microsoft has published is adequate and proportional to the risk.
Jake Williams is the director of cyber threat intelligence at the security firm Scythe. It's not clear why Microsoft downplays this vulnerability, it's being actively exploited in the wild