Hi there!, we're going to analyze and investigate a zero-day vulnerability: the CVE-2022-30190 a.k.a. Follina.

The Follina vulnerability affects the Microsoft Office products and represents a critical risk because it enables remote code execution (RCE).

Key Details of the Follina vulnerability (source https://owasp.org/www-community/vulnerabilities/follina):

  • CVE-2022-30190: Officially recognized as CVE-2022-30190 by the National Institute of Standards and Technology (NIST), Follina warrants tracking due to its severity.

  • Phishing Campaigns: Cybercriminals actively exploit Follina through sophisticated phishing campaigns, luring users into opening malicious Office documents or links that trigger the vulnerability.

  • MSDT Protocol: The critical issue lies in the manipulation of the “Microsoft Support Diagnostic Tool” (MSDT) protocol. Attackers leverage this protocol to execute their own PowerShell commands, often without user interaction.

  • Diverse Attack Vectors: Follina can strike via email-delivered malicious Office documents, USB devices, or even during file previews (e.g., .rtf formats).

  • Discovery Timeline: Unveiled as a zero-day vulnerability on May 27, 2022, the first known malware exploiting it surfaced on April 7, 2022, suggesting prior exploitation.

  • Escalation of Phishing Campaigns: With Follina’s discovery, cybersecurity experts noted a surge in phishing campaigns employing this vulnerability.

Let's create the case for the SIEM alert SOC173 - Follina 0-Day Detected, on LetsDefend to begin with the Playbook.

Step 0 - Define Threat Indicator:

Incident Details - 123

Define Threat Indicator - 123

Click on "Other", and continue to the next step on the Playbook.

Step 1 - Check if the malware is quarantined/cleaned:

Let's verify if the malware is quarantined/cleaned

  • Log Management
  • Endpoint Security

We're going to check the date to look for any IOCs, so let's go to the Log Managment.

I'll put here the Event Time that we need to investigate:
Event Time :
Jun, 02, 2022, 03:22 PM

Here is the Log Management and it show us some interesting things, let's have a look:

Log Management - 123

There is this Ip address that keep repeating in a very short time spam, so it's definitely IOCs, so we take note of this IP for later:

  • 141.105.65.149

Now we go to the Endpoint Security.

Just like before I'll put here the Ip Address and the host name:
Source Address :
172.16.17.39
Hostname :
JonasPRD

It looks like we found something in here:

EDR - 123

This shows us some IOCs in the Processes tab:

  • WINWORD.exe
  • mstd.exe

Looking at the alert's details in the alert trigger reason give us that the mstd.exe was executed after a Office document, just like in the report from OWASP about the CVE-2022-30190.

And looking a bit further in the Terminal History we see the malware in action:

Terminal History - 123

The second command chain looks very suspicious and dangerous because it is likely involving file extraction, processing and execution.

And for last on this part we take a look on the alert details and the AV (AntiVirus) action (Allowed) doesn't stop the attack.

so we click on Not Quarantined on the Playbook.

Step 2 - Analyze Malware:

Now is the turn to analyze for Malware.

With VirusTotal:

VirusTotal IP - 123

VirusTotal says it is malicious, this is a malicious IP address.

Furthermore, it's seems the malware compromise the host from a phishing email, so we go to the Email Security and search for that email, and we found another IOCs:

Email Security - 123

We can see the sender is from Rusia and come with an attachment, but don't need to open it, in the alert details is a file hash we can use to see if this attachment is malicious.

File Hash:
52945af1def85b171870b31fa4782e52

VirusTotal - 123

Click on Malicious and let's move on.

Step 3 - Check if Someone Requested the C2:

Requested C2 - 123

We know the host requested several times the malicious IP address:

Log Management - 123

The 141.105.65.149

Using AbuseIPDB we can scan the IP address we found in the Log Management:

AbuseIPDB - 123

So click on "Accessed".

Step 4 - Containment:

Contain - 123

The host is compromised and is a risk to our organization, we go to Endpoint Security, search for the compromised host and contain it.

Contained - 123

Move forward and hit "Next".

Step 5 - Add Artifacts:

Add Artifacts - 123

Add here the IOCs you found like:

  • 172.16.17.39 Compromised IP
  • 52945af1def85b171870b31fa4782e52 Malicious File
  • 141.105.65.149 C2 IP address

Next.

Step 6 - Analyst Notes:

Here is recommended that you write a summary explaining the nature of the malware, in this case the Follina 0-day exploit, how it was detected and the immediate actions taken, your investigation findings, with all the IOCs that you have found, the containment steps, also the future actions that could be done to prevent or mitigate the risk.

Close the alert and this is True Positive, add your findings and how it was mitigated.

And we have finished this 0-day vulnerability CVE-2022-30190 a.k.a. Follina.

See you next time!