A new zero-day vulnerability in Microsoft Office was discovered May 27 by a cybersecurity research team based in Japan. The name of the flaw is Follina and it was found to infect and compromise Windows-operated computers with malware embedded into a Word (.docx) or Rich Text Format (.rtf) file. The high severity vulnerability has the term ‘zero day’ due to it being recently discovered and the software developer has ‘zero days’ to fix it.
How the attack works
The Follina flaw has been used by cyber-attackers to execute malicious PowerShell code using the Microsoft Diagnostic Tool (MSDT) when previewing or opening Office documents, even if macros are disabled. The MSDT is a Windows feature that collects diagnostic data that is sent to Microsoft for analysis to patch security problems. The vulnerability affects all Windows versions, even those still receiving security updates, and include Windows 11. Attackers can execute code to launch malware, view or delete data, install programs and create new accounts.
How severe is the attack?
The Follina attack is extremely dangerous as it can go undetected by Microsoft’s security features under the guise of a Word or RTF file attachment. This means the security protocols that detect phishing, spam, and malware for email providers Microsoft Outlook and Gmail can be bypassed by the flaw. Hovering over or clicking the malicious URL link can activate the malware and allow it to inject itself into the user’s computer or device.
What is being done?
The Follina zero-day was initially flagged on April 12 but Microsoft initially tagged it as not a ‘security-related issue’. The vulnerability was being exploited in the wild, with hackers targeting users in Russia and Belarus, and a Chinese state-sponsored hacking group exploiting the zero day to target the international Tibetan community. Another Chinese threat group used the flaw in phishing attacks targeting US and European government agencies.
This led to speculation that Microsoft wouldn’t be releasing patches, with cybersecurity firm Tenable noting it was a worrying trend after discovering and disclosing two vulnerabilities in Microsoft’s Azure Synapse Analytics, one of which Microsoft patched and one which hasn’t.
A fix for Follina (tracked as CVE-2022-30190) has been released as part of Microsoft’s monthly release of security patches, known as Patch Tuesday. Cybersecurity firm Sophos noted the fix isn’t included on the list of patches in the release, although it has been confirmed that Follina is now mitigated. In an update to the original advisory, Microsoft has strongly recommended customers install the updates to be completely protected from the vulnerability.
How to avoid the attack?
Vulnerabilities are being exploited in greater numbers than ever before, and these attacks are getting harder to detect. Protecting your business-critical data isn’t impossible but it can be improved with security practices such as:
Don’t open dodgy emails
Phishing emails usually give themselves away in the form of unusual email addresses or inconsistent content. But malicious actors are getting smarter and using tactics that make emails appear to be genuine, such as using a work colleague’s name. If an email is received from an unknown sender, or seems suspicious in any way, don’t open it or click on any links, or download attachments. Send the email to the bin.
Don’t download/open attachments from unknown senders
If an attachment is sent and you are not sure about the person or business that it has been sent from, don’t open or download the file. Even if it gets past spam filters and antivirus software, there is a chance the attachment contains malware. If you do know the sender but are unsure about the attachment, contact them to verify the authenticity.
Avoid clicking on links
Emails or text messages can be phishing attacks designed to pique your interest and get you to open malicious links. Be wary of opening links sent by unknown sources, or again if you do know the sender, check the authenticity of the information first.
Update your systems
Like any operating system, it’s critical to keep Microsoft Windows secure by deploying the latest updates and installing the appropriate security software and applications. Microsoft releases updates to fix any security issues that can be exploited if discovered by cybercriminals. Ignoring these updates can be detrimental and end up causing your business to become the victim of an attack.
If an update or patch isn’t released by Microsoft promptly, as was the case with the Follina zero day attack, you should consider your cybersecurity posture overall. A managed security service provider can take care of threat detection and response, vulnerability management, and software updates, so your business is always secure, no matter what the cyber threat landscape looks like. Talk to the cybersecurity specialists at INTELLIWORX today if you have any concerns about the Microsoft Office zero day exploit and how it may affect your business.