IT Sicherheit – frischer Wind
IT security – a breath of fresh air
Sécurité informatique – un vent de fraîcheur
Seguridad informática – un soplo de aire fresco
Hacker sind kreativ und finden immer neue Wege in Unternehmen einzudringen. Um Angreifern weiterhin einen Schritt voraus zu sein, braucht es immer wieder neue Ideen.

KALWEIT ITS – Wir bringen frischen Wind.
Hackers are creative and always find new ways to penetrate companies. To stay one step ahead of attackers, new ideas are always needed.

KALWEIT ITS – We bring a breath of fresh air.
Les pirates informatiques sont créatifs et trouvent toujours de nouveaux moyens de s'introduire dans les entreprises. Pour garder une longueur d'avance sur les attaquants, il faut sans cesse de nouvelles idées.

KALWEIT ITS – Nous apportons un vent de fraîcheur.
Los hackers son creativos y siempre encuentran nuevas formas de penetrar en las empresas. Para estar un paso por delante de los atacantes, siempre se necesitan nuevas ideas.

KALWEIT ITS – Traemos un soplo de aire fresco.

Follina Zero-Day Vulnerability (CVE-2022-30190)

On 05/27/2022, security researchers from the group nao_sec warned about a vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

The vulnerability, named “Follina”. CVE-2022-30190 , allows attackers to execute arbitrary Powershell commands and thus, for example, install ransomware or spy on data on target systems.

The vulnerability thus poses a significant risk to the IT security of the entire organization, as systems controlled by an attacker can spread malware within the organization’s network, for example.

The particular potential danger of the vulnerability lies in its relative simplicity. After downloading a suitably crafted Office document, loading the preview view in Windows Explorer activates the malicious code. Thus, the document does not need to be opened by the user, and the user interaction required to execute the malicious code is minimal. In security circles, the term “zero click exploit” is therefore used in connection with “Follina”.

The exploit does not target the known vulnerable implementation of VBA macros, but the “ms-msdt” proto coll.

This protocol is the basis for Windows-internal, automated error recovery and is therefore activated by default in all Microsoft Windows versions from Windows 7, as well as Windows Server versions from Windows Server 2008.

Originally, it was assumed that “Follina” could only be exploited in connection with certain Microsoft Office versions.

In recent days, however, there has been increasing evidence that the vulnerability can also be exploited independently of Microsoft Office applications.

Building on the research of the exploit by security experts John Hammond and @KevTheHermit , security researchers at KALWEIT ITS were able to verify two MS Office-independent attack vectors.

According to reports, current attack attempts nevertheless seem to rely primarily on manipulated Office documents as the primary mode of malicious code distribution.

The Twitter account operated by the security company proofpoint reported that Threat Insight on June 03, 2022, an email-based campaign targeting European and U.S. (local) governments. According to unconfirmed reports, attacks on Ukrainian authorities, as well as a campaign in the Oceanic region, also took place.

On 31.05.2022, the BSI responded with a Notification of the second highest warning level “3 / Orange” (“The IT threat situation is business-critical. Massive impairment of regular operations.”) to the incidents.

In Microsoft’s “Security Response Center” (MSRC) the Severity of the vulnerability ) is rated 7.8 out of 10. Microsoft also states that it is working on a security update.

As long as this has not yet appeared, the BSI and Microsoft both recommend disabling the MSDT URL protocol handler using registry keys:

This succeeds as follows:

  • Run the command prompt with administrator privileges.
  • Next, a backup of the registry key should be created. This way it can be restored after a security update (or in case of problems caused by deleting the key). This is done with the command:

reg export HKEY_CLASSES_ROOT\ms-msdt My_Filename

  • Then the registry key is deleted with the following command:

reg delete HKEY_CLASSES_ROOT\ms-msdt /f