SECURITY ALERT: CVE-2022-30190 (Follina) - Microsoft Office 0 Day Vulnerability within their Support Diagnostics Tool

Product / Version includes:

Last updated: 2024/06/05

Solution ID: KA-0013068

Category: Remove a Malware / Virus

Summary

Updated: 6/4/2022 with Cloud One - Workload Security & Deep Security IPS rules

On May 30, 2022; Microsoft published a security update to address a recent Microsoft Office zero click vulnerability within the Support Diagnostic Tool (MSDT) found in Windows. Listed as CVE-2022-30190, also known as "Follina," this Office 0-day vulnerability within MSDT utilizes the URL protocol from a calling application, such as Word. Upon successful completion of the exploit, the attacker can run arbitrary code utilizing the privileges of the calling application. As such, the attacker can install programs, view, change and delete data. Depending on the user rights, creating new accounts is also possible.

The MSDT is used by Microsoft Support in troubleshooting Windows technical issues. It requires a passcode direct from Microsoft before it can be used. You can find more information on the MSDT here .

Microsoft recommends disabling the MSDT URL protocol as a workaround for this vulnerability. Additional details and mitigation steps can be found on the Microsoft Security Response Center here .

Protection Against Exploitation

First and foremost, it is always highly recommended that users apply the vendor's patches if and when they become available.

In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary detection protection that may help provide additional protection and detection of known malicious components associated with these attacks on systems that have not already been compromised or against further attempted attacks.

Trend Micro Malware Detection Patterns (VSAPI, Machine Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)

Currently known malicious detections for known files associated with CVE-2022-30190: Trojan.W97M.CVE202230190.A

Trend Micro is closely monitoring and conducting additional research on these attacks and will update this article with additional information and protections as they become available.

Trend Micro Cloud One – Network Security and TippingPoint ThreatDV Malware Detection Filters

The following are ThreatDV malware filters that look for relevant activity associated with the attack campaigns:

Filter 41369: Microsoft Windows Support Diagnostic Tool Code Execution Vulnerability (Follina)

Trend Micro Cloud One – Workload Security and Deep Security IPS Rules

Rule 1011442: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-30190)

Using Trend Micro Products for investigation

The following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.

Trend Micro Vision One™

Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.

Utilizing Observed Attack Techniques (OAT)

Trend Micro Vision One customers that use Trend Micro endpoint protection with Microsoft Office products may also go into the Observed Attack Techniques section of the Trend Micro Vision One console to look for suspicious activity that may indicate the detection of malware behavior associated with this threat.

Utilizing Search Queries

In addition to the OAT function, Trend Micro Vision One customers can also leverage the powerful Search App function to run a Data Mapping query for Endpoint Activity Data to look for evidence of malicious behavior. For example:

Search Method: EndPoint Activity Data

eventSubId: 101 AND parentFilePath: winword.exe AND processName:msdt.exe AND processCmd: (taskkill OR msdt.exe OR PCWDiagnostic OR ms-msdt)

Detailed information on the Search App, including query syntax and data mapping can be found in Trend Micro’s Online Help Center and additional queries will be updated in this article.

External References

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

SECURITY ALERT: CVE-2022-30190 (Follina) - Microsoft Office 0 Day Vulnerability within their Support Diagnostics Tool

Protection Against Exploitation

Trend Micro Malware Detection Patterns (VSAPI, Machine Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)

Trend Micro Cloud One – Network Security and TippingPoint ThreatDV Malware Detection Filters

Trend Micro Cloud One – Workload Security and Deep Security IPS Rules

Using Trend Micro Products for investigation

External References

SECURITY ALERT: CVE-2022-30190 (Follina) - Microsoft Office 0 Day Vulnerability within their Support Diagnostics Tool

Product / Version includes:

Summary

Protection Against Exploitation

Trend Micro Malware Detection Patterns (VSAPI, Machine Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)

Trend Micro Cloud One – Network Security and TippingPoint ThreatDV Malware Detection Filters

Trend Micro Cloud One – Workload Security and Deep Security IPS Rules

Using Trend Micro Products for investigation

External References