Researchers warned last weekend that a flaw in Microsoft’s Support Diagnostic Tool could be exploited by using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defenses. On Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that “a remote, unauthenticated attacker could exploit this vulnerability, known as Follina, “to take control of an affected system.” But Microsoft won’t say when or if it will patch the vulnerability, though the company acknowledged that the flaw was actively exploited by attackers in the wild. And the company still had no comment on the possibility of a patch at WIRED’s request.
The Follina vulnerability in a Windows support program can be easily exploited by a specially crafted Word document. The lure is equipped with a third-party template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a “zero-day” or previously unknown vulnerability, but Microsoft has not classified it as such.
“As public knowledge of the exploit grew, we saw an immediate response from several attackers who started using it,” said Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have so far mainly exploited the flaw through malicious documents, researchers have also discovered other methods, including the manipulation of HTML content in network traffic.
“While the approach to malicious documents is of great concern, the less documented methods by which the exploit can be triggered are troubling until patched,” Hegel says. “I would expect opportunistic and targeted threat actors to use this vulnerability in different ways when the option is available — it’s just too easy.”
The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft’s main suggested limitation is disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor and block exploits.
But incident responders say more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is detected.
“We see several APT actors adopting this technique in longer chains of infection that leverage the Follina vulnerability,” said Michael Raggi, a staff researcher at security firm Proofpoint, which targets Chinese government-backed hackers. For example, on May 30, 2022, we saw that the Chinese APT actor TA413 sent a malicious URL in an email posing as the central Tibetan government. Several actors are adding the Follina-related files at different stages of their infection chain, depending on their pre-existing toolkit and tactics used.”
Researchers also have seen malicious documents exploit Follina with targets in Russia, India, Philippines, Belarus and Nepal. An undergraduate researcher first noticed the flaw in August 2020, but it was first reported to Microsoft on April 21. Researchers also noted that Follina hacks are particularly useful for attackers because they can emerge from malicious documents without relying on Macros, the much-used Office. document feature that Microsoft has been trying to curb.
“Proofpoint has identified several actors who are incorporating the Follina vulnerability into phishing campaigns,” said Sherrod DeGrippo, Proofpoint’s vice president of threat research.
With all this real-world exploitation, the question is whether the guidelines Microsoft has published so far are adequate and proportionate to the risk.
“Security teams might see Microsoft’s casual approach as a sign that this is ‘just another vulnerability,’ which it certainly isn’t,” said Jake Williams, director of cyber threat intelligence at security firm Scythe. “It’s not clear why Microsoft continues to downplay this vulnerability, especially while it’s being actively exploited in the wild.”
This story originally appeared on wired.com.