This bulletin was written by Michal Nowakowski of the Kudelski Security Threat Detection & Research Team

Summary

On May 27th, 2022, threat researchers identified a suspicious word document, that exploited a vulnerability in Microsoft’s Support Diagnostic Tool (MSDT) to run arbitrary PowerShell scripts in the context of the user. The malicious Microsoft Office document abused office features to load a malicious html file remotely. This HTML file was identified as a malicious script simply calling the MSDT protocol / URI handler (used to tell the operating system which program to use to open a particular file) and provided arbitrary PowerShell commands to execute.

This vulnerability, assigned CVE-2022-30190 by Microsoft on May 30^th, is actively being abused by threat actors to execute arbitrary code via malicious Microsoft office files without the need for macros. It’s important note to that this vulnerability exists in the Support Diagnostic Tool and not within the Office productivity suite. This vulnerability can be abused by any malicious file that attempts to “open” the Diagnostic Tool with the malicious URI / protocol handler parameters. Microsoft office documents are the current delivery vector, but threat actors may adapt to other delivery methods in the near future. Microsoft Support Diagnostic Tool (MSDT) is a supporting package to collect and diagnose potential problems on computers like interfaces (including WIFI) or audio driver’s issues and send collected information to Microsoft Support for further analysis. Successful exploitation of this vulnerability inherits user account privileges and can lead to further attack stages such as Persistence or Privilege Escalation.

The Cyber Fusion Center (CFC) and security researchers have identified that this vulnerability has been actively abused by what appear to be Nation State Threat actors since April of this year. Now that the 0-day vulnerability has been disclosed and because there are several Proof of Concept (POCs) exploits available, The CFC expects to see opportunistic exploitation of this vulnerability by cyber-criminal groups and less sophisticated adversaries.

Additionally, Microsoft has made changes to versions of the productivity apps included in Office 365 to prevent some abuse via Protected View. Unfortunately, researchers have identified that simply creating the malicious document as a “Rich Text File” (RFT) enables threat actors to abuse the Support Diagnostic Tool vulnerability if victims preview the file.

The CFC strongly recommends that organizations follow Microsoft’s guidance and disable the MSDT URL / URI protocol handler that is being abused. For details on how to apply this temporary mitigation, please review the “workarounds and mitigations” section of this advisory.

Workarounds and Mitigations

As mentioned above, the 0-day vulnerability exists in the Microsoft Support Diagnostic Tools URL / URI protocol handler which is enabled by default. Microsoft’s guidance recommends that organizations disable this handler all together via registry edits.

Microsoft Recommended Mitigations

Microsoft is actively working on providing a fully patched solution and recommends temporarily disabling MSDT URL Protocol as a temporary workaround. In order to do so, organizations should make the Windows registry changes to disable the URL protocol handler:

• Run cmd.exe as an Administrator
• Backup the registry key using the following command:
  reg export HKEY_CLASSES_ROOT\ms-msdt $filename
• Delete the registry key using the following command:
  reg delete HKEY_CLASSES_ROOT\ms-msdt /f

To revert performed changes import backed up registry key using the following command:

reg import $filename

Additional Potential Mitigations

Security Researcher Benjamin Delpy (the author of MimiKatz) has also provided an additional potential mitigation which could be deployed via Group Policy Objects (GPO). Organizations may choose to disable scripted diagnostics all together.

Organizations choosing to disable scripted diagnostics all together may edit group policy in the following location (in the Group Policy Editor):

• Computer Configuration. -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics

Administrators should change the value from “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled”

What is the CFC doing?

The CFC will be performing hunting campaigns to identify potential exploitation attempts of this vulnerability by looking at suspicious usage of the MSDT protocol handler.

Note: Hunting requires access to process executive logging and process command line information, typically found in Endpoint Detection and Response (EDR) platforms. Organizations sending process data from workstations to their SIEMs will also benefit from this hunt.

The CFC will continue to monitor the situation and provide updates to clients if more information becomes available.

Sources

• Follina — a Microsoft Office code execution vulnerability | by Kevin Beaumont | May, 2022 | DoublePulsar
• Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability – Microsoft Security Response Center
• https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
• https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability
• https://twitter.com/gentilkiwi/status/1531384447219781634