Recently there is a new vulnerability in the Microsoft Office Universe he found out. Dirk Schrader, CISO Resident (EMEA) and Vice President of Security Research at NetwrixDetails of how Microsoft Support Diagnostic Tool (MSDT) can be turned against organizations and what to do to prevent victimization by your company are provided below:
What’s going on?
“The newly discovered CVE-2022-30190 vulnerability in MS Office offers attackers a new way to hijack organizations’ IT environments through endpoints. This exploitation is likely to work on most Windows / MS Office installations.
“The attacker makes an MS Word document containing the malicious code, sends it to someone’s business email address, and uses common social engineering techniques to entice the recipient to open it. Remember, the Log4Shell vulnerability was discovered in December 2021, when the issue related to an unregulated way of executing a function as well as the ability to call external resources. This 0-day, originally called ‘Follina’, works in a similar way.
“Microsoft Word has a feature called ‘remote template’ which is misused to retrieve an HTML file from a distant location. Once received, this HTML file uses functionality in MSDT to run an embedded payload, using a Powershell script or other tools available on target.
“Built-in Windows security tools are unlikely to accept this activity and are not covered by standard hardened benchmarks. Built-in defense mechanisms such as Defender or common restrictions on the use of macros will also prevent this attack.
“Exploitation seems to have been outdoors for about a month now, with various modifications to what should be done to the targeted system.”
What influences it?
“Microsoft releases 41 different product versions, from Windows 7 to Windows 11 and from Server 2008 to Server 2022. Known and proven as affected are Office, Office 2016, Office 2021 and Office 2022, regardless of version. Windows on which they are running. Patches have been issued for the past 24 hours. ”
What to do to ensure security?
“Preliminary results indicate that the deletion of a certain registration key will stop this exploitation, but benchmarks such as those from CIS and DIA STIG do not appear to cover the necessary setting as part of the hardening process.
“To detect suspicious activity related to this 0 days, IT teams need to closely monitor changes within their organizations’ systems, especially in system folders, and identify unwanted processes or services. in a timely manner.
“Another measure that will help prevent the attack through this vulnerability is to set up a set of Windows group policies that will lock your system so that it does not prevent it from executing its executable process.”
“Within the next few weeks, attackers are likely to check out ways to arm the vulnerability. This 0-day in spear-hunting campaign could be combined with the recent attack vectors, like the one he found out in Japan, and with privileged magnification techniques to exit the current user context. Given the potential for these ‘combined’ tactics, IT professionals should ensure that systems for detecting infringement activity are closely monitored.
“Furthermore, the similarities with Log4shell, which made headlines in December 2021, are very significant. This vulnerability is related to the ability of applications to remotely call a resource using the URI scheme, without the safeguards in place. We can expect APT groups and cyber-skins to look specifically for more of these as they seem to provide an easy entrance. ”
How to be safe, comments Netwrix –
Source link How to be safe, comments Netwrix –