A zero day vulnerability in Microsoft’s Office 365 software is not likely to be patched for at least another week, experts believe. The vulnerability, named Follina, is already being exploited by a host of hacking gangs, including state-sponsored groups and ransomware criminals.
Follina utilises a flaw in the Microsoft Diagnostic Tool (MSDT) to allow hackers to gain access to systems running Office 365 and launch remote code execution (RCE) attacks on those systems.
How is the Follina zero day being exploited?
The vulnerability was spotted last month, and hackers which successfully exploit it are free to access compromised systems “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” says a Microsoft blog on Follina.
The nature of the vulnerability means that malware can be uploaded easily, says Satya Gupta, founder and CTO of security company Virsec. “This vulnerability in MSDT affects not just Word but all Office 365 apps,” he says. “This event once again heavily underscores the power of RCE vulnerabilities as being the most dangerous vulnerabilities. Most enterprises don’t patch for days, weeks and sometimes even for months. This is great news for bad actors because RCEs give attackers a free pass to infiltrate the enterprise’s compute infrastructure.”
Earlier this week, researchers at ProofPoint said they had found evidence that Follina is now being exploited by prolific ransomware affiliate botnet Qbot.
Archive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute the DLL to start Qbot. The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute Qbot.
— Threat Insight (@threatinsight) June 7, 2022
QBot is currently being used by the Black Basta ransomware group to launch bot-powered attacks, according to security company NCC group. “Qbot was the primary method used by the threat actor to maintain their presence on the [victim’s] network,” its research team said.
ProofPoint said its team also believes Follina is being exploited by state-backed hackers, but has yet to ascertain which country they come from. Allan Liska, intelligence analyst at Recorded Future, says it is likely they are from China. “As with many zero day exploits, this started off being used by what are likely Chinese nation-state actors,” he says. “But as proof of concept code has been released, other cybercriminals have picked up on it and we are now seeing malware like Qbot using it to deliver ransomware and other malicious code.”
Will the Follina Office 365 vulnerability be patched by Microsoft?
Though Microsoft has released some work-arounds for the vulnerability, it has yet to deploy an official patch to combat it. It could do so during patch Tuesday – the monthly event which sees it release a tranche of updates for its systems – which takes place next week, but an Microsoft spokesman declined to say whether a patch will be forthcoming when questioned by Ars Technica on Monday.
If it doesn’t, Liska says the implications could be disastrous. “The number of samples discovered in the wild is relatively small, especially given the ease of exploitation and the readiness of exploit code,” he says. “But that won’t last. More and more cybercriminals will add this to their arsenal and exploitation reports will continue to rise. Hopefully, Microsoft does include a patch next Tuesday and we can see infections start to die off.”