Tech

Microsoft Follina Vulnerability in Windows Can Be Exploited Through Office 365


Researchers have warned for the last time over the weekend that a vulnerability in the Microsoft Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft release guide on Monday, including temporary defensive measures. As of Tuesday, the U.S. Cybersecurity and Infrastructure Agency has warning that “an unauthenticated, remote attacker could exploit this vulnerability,” known as Follina, “to take control of an affected system.” But Microsoft won’t say when or if a patch will be available for the vulnerability, although the company acknowledges that the vulnerability is being actively exploited by attackers. And the company has yet to comment on the possibility of a patch when asked by WIRED yesterday.

The Follina vulnerability in a Windows-powered tool can be easily exploited with a specially crafted Word document. Lure is equipped with a remote template that can retrieve the malicious HTML file and eventually allow the attacker to execute Powershell command in Windows. The researchers note that they would describe the bug as a “zero-day” or previously unknown vulnerability, but Microsoft has not classified it as such.

“After a broad understanding of the exploit, we started to see immediate feedback from many of the attackers who caught it,” said Tom Hegel, senior threat researcher at security firm SentinelOne. start using it. He added that so far, while attackers have mainly been observed exploiting the vulnerability through malicious documents, researchers have also discovered other methods, including manipulating the vulnerability. manipulate HTML content in network traffic.

“While the malicious documentation approach is of great interest, less documented methods where exploits can be triggered will cause trouble until patched,” Hegel said. . “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when given the option — it’s just too easy.”

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft’s main recommended mitigation involves disabling a specific protocol in the Support Diagnostic Tool and using Microsoft Defender Antivirus to track and block the exploit.

However, incident responders say more action is needed, given how easy it is to exploit and how well malicious activity is detected.

“We are seeing a lot of APT actors incorporating this technique into their attacks,” said Michael Raggi, threat research officer at security firm Proofpoint, which focuses on Chinese government-backed hackers. Longer infection chain using the Follina vulnerability. On May 30, 2022, we observed Chinese APT actor TA413 sending a malicious URL in an email impersonating the Central Administration of Tibet. Different actors are looking for Follina-related files at different stages of their infection chain, depending on their available toolkits and their deployed tactics. ”

Researchers have also watched malicious material exploit Follina with targets in Russia, India, Philippines, Belarus and Nepal. A first university researcher Noticed the vulnerability in August 2020but it was first reported to Microsoft on April 21. The researchers also note that the Follina hacks are particularly useful to attackers because they can derive from malicious documents no need to rely on Macros, the heavily abused Office document feature that Microsoft has. worked to restrain.

“Proofpoint has identified multiple actors that incorporate the Follina vulnerability in phishing campaigns,” said Sherrod DeGrippo, vice president of threat research at Proofpoint.

With all this real-world mining, the question is whether the guidance Microsoft has released so far is adequate and proportionate to the risk.

“Security teams may take Microsoft’s apathetic approach as a sign that this is ‘another vulnerability’,” said Jake Williams, director of cyber threat intelligence at security firm Scythe. . “It’s not clear why Microsoft continues to downplay this vulnerability, especially while it’s being actively exploited.”





Source link

newsofmax

News of max: Update the world's latest breaking news online of the day, breaking news, politics, society today, international mainstream news .Updated news 24/7: Entertainment, Sports...at the World everyday world. Hot news, images, video clips that are updated quickly and reliably

Related Articles

Back to top button
Immediate Matrix Immediate Maximum