New MS Office Zero Day Evades Defender

[plat]

Is the usual malware that targets outdated and poorly configured systems, is not Microsoft problem.

This article explained it best for me. Microsoft reversed its original self and is now advising to use a work-around for this admitted "critical" vulnerability described in this article.

Code execution 0-day in Windows has been under active exploit for 7 weeks

All supported versions of Windows affected.

arstechnica.com

Source

 

[ForgottenSeer 69673]

So would blocking MSDT.EXE in user space work for this special

Follina?​

 

[Andy Ful]

So would blocking MSDT.EXE in user space work for this special

Follina?​

Yes. If you add it to UserSpace it will be blocked in AppGuard (you use it if I correctly remember). But this will not solve the problem. This exploit will be closed soon, but the Office URI schemes will be still vulnerable to similar attacks without using MSDT.

 

[ForgottenSeer 69673]

Yes. If you add it to UserSpace it will be blocked in AppGuard (you use it if I correctly remember). But this will not solve the problem. This exploit will be closed soon, but the Office URI schemes will be still vulnerable to similar attacks without using MSDT.

Thanks Andy, yes you remembered, along with Shadow Defender and Marcrium inside Sandboxie Plus and I suppose that doesn't even include the

Unofficial but common URI schemes​

 

[Brahman]

At 18th minute of the video the defender picks up the payload. so is it over?

 

[n8chavez]

At 18th minute of the video the defender picks up the payload. so is it over?

No, because as they said in the video, this wasn't the real "detonator" file. This was just a test. Defender only detected the test. Could it detect the real thing? Maybe. Maybe not.

 

[Nikos751]

Any non trouble causing way to avoid infection using this exploit? For example configure defender high settings, or any other solution that does not require to invest time and sacrifice usability? OSArmor for example messes up with my development IDE (IntelliJ).

 

[Brahman]

Any non trouble causing way to avoid infection using this exploit? For example configure defender high settings, or any other solution that does not require to invest time and sacrifice usability? OSArmor for example messes up with my development IDE (IntelliJ).

There is a work around.... Use the below commands on an elevated command prompt to disable msdt all together.
Command to backup the registry key to C: drive:
reg export HKEY_CLASSES_ROOT\ms-msdt C:\msdt_regkey_backup.reg

• The Workaround Command:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f

 

[SpiderWeb]

Off topic but may I request that we please link to articles directly? Apple News and Google AMP are not news sources and adblockers/DNS filters break their redirect links because they are tracking. :/

 

[Andy Ful]

This malware is an example of abusing the "remote template" feature. It can be mitigated by blocking the outbound connections of MS Office applications.

https://malwaretips.com/threads/new-ms-office-zero-day-evades-defender.114090/post-990812

 

[upnorth]

Security firm Kaspersky, meanwhile, has also tracked an uptick in Follina exploits, with most hitting the US, followed by Brazil, Mexico, and Russia. "We expect to see more Follina exploitation attempts to gain access to corporate resources, including for ransomware attacks and data breaches," the Kaspersky researchers wrote.

One reason for the keen interest is that Follina doesn't require the same level of victim interaction that typical malicious document attacks do. Normally, these attacks need the target to open the document and enable the use of macros. Follina, by contrast, doesn't require the target to open the document, and there's no macro to allow. The simple act of the document appearing in the preview window, even while protected view is turned on, is enough to execute malicious scripts.

Microsoft won’t say if it will patch critical Windows vulnerability under exploit

Slow to act on the code execution bug from the start, company is still in no hurry.

arstechnica.com

 

[harlan4096]

CVE-2022-30190 (Follina) vulnerability in MSDT: description and counteraction

At the end of May, researchers reported a new zero-day vulnerability CVE-2022-30190 in MSDT that can be exploited using Microsoft Office documents.

securelist.com

 

[wat0114]

So far from what I can gather for mitigating this threat:

1. Block Powershell or run it in Constrained language mode
2. Block outbound connections of Microsoft Office apps
3. ASR: Block Office applications from creating child processes
4. In special cases for those who run OSArmor, default rules should block the threat
5. Probably other HIPS or similar utilities such as Appguard, Spyshelter, Comodo, etc....

Are these measures still applicable, especially the first three because they utilize built-in Defender? Other than the workaround(s) suggested by Microsoft, are there other measures that will work?

 

[Trooper]

So far from what I can gather for mitigating this threat:

1. Block Powershell or run it in Constrained language mode
2. Block outbound connections of Microsoft Office apps
3. ASR: Block Office applications from creating child processes
4. In special cases for those who run OSArmor, default rules should block the threat
5. Probably other HIPS or similar utilities such as Appguard, Spyshelter, Comodo, etc....

Are these measures still applicable, especially the first three because they utilize built-in Defender? Other than the workaround(s) suggested by Microsoft, are there other measures that will work?

Microsoft says to delete the registry key posted above. I am still looking for further inforrmation. At work, I used a powershell script to rename the key and will undo if/when MS patches this. I think 0patch also added remediation to this theat even in the free version.

 

[wat0114]

Microsoft says to delete the registry key posted above. I am still looking for further inforrmation. At work, I used a powershell script to rename the key and will undo if/when MS patches this. I think 0patch also added remediation to this theat even in the free version.

Yeah, I saw that mitigation earlier. I'm actually most interested in what Defender can do, especially when harnessed through H_C, SWH and CF tools. I'm hoping that a detailed analysis replete with a nice diagram, similar to the type that Andy Ful is so good at finding on the Internet will be available soon

There is some speculative commentary on another forum, I think you know which one I mean , that seems to imply some of the above measures I listed won't work against Follina, so I am just looking (hoping) for some expert feedback on whether or not there's substance to it. As a member in that forum's thread states, all the different information flying around the Internet on this exploit is indeed confusing to some, myself included.

 

[Andy Ful]

So far from what I can gather for mitigating this threat:

1. Block Powershell or run it in Constrained language mode
2. Block outbound connections of Microsoft Office apps
3. ASR: Block Office applications from creating child processes
4. In special cases for those who run OSArmor, default rules should block the threat
5. Probably other HIPS or similar utilities such as Appguard, Spyshelter, Comodo, etc....

Are these measures still applicable, especially the first three because they utilize built-in Defender? Other than the workaround(s) suggested by Microsoft, are there other measures that will work?

1. Do not install MS Office.
2. Remove the file type association for ms-msdt (can be done in Windows Registry HKCR:\ms-msdt ).
3. Block msdt.exe via SRP, Applocker, or MDAC.
4. Block msdt.exe via Image File Execution Options.
5. Block msdt.exe via Exploit Protection.

 

[wat0114]

1. Do not install MS Office.
2. Remove the file type association for ms-msdt (can be done in Windows Registry HKCR:\ms-msdt ).
3. Block msdt.exe via SRP, Applocker, or MDAC.
4. Block msdt.exe via Image File Execution Options.
5. Block msdt.exe via Exploit Protection.

Wow! Your response is not really what I expected although I had recognized a while back that you are strongly opposed to MS Office suite So are you implying that the measures I asked about will not work, or are these suggestions of yours additional mitigative measures?

EDIT

I utilized step 3 via SRP in H_C. Thanks

 

[Trooper]

Yeah, I saw that mitigation earlier. I'm actually most interested in what Defender can do, especially when harnessed through H_C, SWH and CF tools. I'm hoping that a detailed analysis replete with a nice diagram, similar to the type that Andy Ful is so good at finding on the Internet will be available soon

There is some speculative commentary on another forum, I think you know which one I mean , that seems to imply some of the above measures I listed won't work against Follina, so I am just looking (hoping) for some expert feedback on whether or not there's substance to it. As a member in that forum's thread states, all the different information flying around the Internet on this exploit is indeed confusing to some, myself included.

Yes I know full well the forum you mean.
Looks like @Andy Ful gave you the addtional firepower you have been looking for.

 

[Brahman]

Wow! Your response is not really what I expected although I had recognized a while back that you are strongly opposed to MS Office suite So are you implying that the measures I asked about will not work, or are these suggestions of yours additional mitigative measures?

EDIT

I utilized step 3 via SRP in H_C. Thanks

That's a wise decision. You can't use windows without having an SRP these days. Thank God that we have H_C, Comodo ( Cs version settings), VOODOOSHIELD, OSA etc. These days I only use windows for gaming and printing documents ( I cant still make my canon E510 printer to work on my Ubuntu 22.04 installation), for everything else I use Linux.

 

[wat0114]

Looks like @Andy Ful gave you the addtional firepower you have been looking for.

Unfortunately no. I was just seeking clarification, but his response puzzles me more than when I asked the questions.