Skip Navigation
BlackBerry Blog

BlackBerry Prevents Follina

CYBERSECURITY / 06.20.22 / Hector Diaz

Windows® systems are being exploited by a new zero-day attack known as “Follina.” This attack takes advantage of a vulnerability in the Microsoft® Windows® Diagnostic Tool (MSDT), a utility which troubleshoots issues on an endpoint. The attack employs a malicious file to advance its attack, activating a payload when the host opens it, or even when their computer pre-loads the document. In fact, a victim can unknowingly activate the attack by simply hovering their mouse over a malicious file to preview it, for instance if they want to view the details of a Microsoft® Word document.

Researchers at Huntress recently verified the Follina vulnerability. Because the malicious file does not require the victim to manually enable macros, it won’t trigger warning notifications and can bypass security restrictions currently provided by Microsoft. When the file is in rich text format (RTF), the malicious code will run via the “Preview” tab in Explorer without ever being opened. This flies in the face of what many people have been taught in company security training, which was (previously) to check that the file is a real document by hovering their mouse over it to preview it.

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. On Tuesday June 14, 2022, Microsoft issued Windows updates to address this vulnerability. Microsoft recommends installing the updates as soon as possible. According to Microsoft, a successful execution of this exploit can allow the attacker to manipulate the victim’s data, install programs on their computer, and even create new accounts. These changes lay the groundwork for lateral movement within the victim’s environment, a tactic often used in ransomware, advanced persistent threats (APTs) and other invasive cyberattacks.

See how BlackBerry prevents Follina zero-day attacks in our demo video below, which shows BlackBerry® product CylanceOPTICS® going head-to-head with a live sample of Follina.

DEMO VIDEO: BlackBerry vs. CVE-2022-30190 (a.k.a. Follina)

Learn more about Follina in our deep dive blog: Follina Zero-Day Weaponizes Microsoft Help Tool
 

Figure 1 – In our demo video above, CylanceOPTICS (set to “Audit-Only” mode to allow the attack to take place) identifies how the malicious file exploits the Follina vulnerability, tracking each step of the attack in real time.
 
Figure 2 – Set to “Prevention Mode,” CylanceOPTICS prevents the malicious file from activating its attack, blocking the Follina exploitation in real-time before it causes damage to the system
 

BlackBerry Protects Against Follina

 CylanceOPTICS  provides on-device threat detection and remediation using artificial intelligence (AI) to prevent security incidents. It provides true AI incident prevention, root cause analysis, smart threat hunting, and automated detection and response capabilities. BlackBerry’s endpoint detection and response (EDR) approach effectively eliminates response latency. It can be the difference between a minor security incident and a widespread, uncontrolled event.

Prevention First Philosophy

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity to neutralize malware before the exploitation stage of the kill-chain. 

By stopping malware at this stage, BlackBerry solutions help organizations increase their resilience. This also helps to reduce infrastructure complexity and streamline your security management, ensuring that your business, people, and endpoints are secure. 

BlackBerry Assistance  

Regardless of your current BlackBerry relationship, the BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance your endpoint security posture and proactively maintain the security, integrity, and resilience of your network infrastructure.   

For emergency assistance, please email us at DLIR@blackberry.com, or use our handraiser form. 

Video Transcript  

 In this video, we are going to demonstrate how an attacker can take advantage of the Follina vulnerability to deploy fileless ransomware and encrypt the victim’s machine without deploying any portable executable (PE).

Here, we have a test machine with CylanceOPTICS set to Audit-Only mode to allow this attack to occur, and a weaponized document to exploit Follina.

Upon execution, the target sees nothing strange until we disable the ‘Protected’ view and click ‘Enable Editing,’ which is when the attack unfolds. CylanceOPTICS is able to identify this technique and the subsequent steps taken by the payload that has been executed.

In a matter of seconds, our test system is completely encrypted by a PowerShell (fileless) version of the Netwalker ransomware. If we go to our venue console to analyze what has happened, we can see how this file exploits the vulnerability in question, and how it utilizes Microsoft Distributed Transaction -- MSDT.exe -- to successfully exploit this vulnerability. We can also see how a PowerShell module is used to encrypt the data on the host system.

We can also see how a PowerShell module is used to encrypt the data on the host system. By taking a prevention-first approach to EDR, we can stop these exploitation attempts at the earliest stage of the attack, with CylanceOPTICS.

In this case, we are going to execute the same chain of actions, but with a preventative policy in place. If we try to execute the same file, we can see how CylanceOPTICS is able to prevent an otherwise successful exploitation of the Follina vulnerability, and safeguard our data.

Returning to our venue console, we can see how the attack has been successfully stopped by CylanceOPTICS before it could cause any damage.

Prevention is Possible, with BlackBerry.

Hector Diaz

About Hector Diaz

 Senior Technical Marketing Manager at BlackBerry

Hector Diaz is a Senior Technical Marketing Manager for Latin America and the Caribbean at BlackBerry. Hector works with Engineering and Product Management to translate technology concepts into digestible pieces, evangelizing and educating people about Artificial Intelligence (AI) applied to cybersecurity.

With over 15 years of experience in cybersecurity, Hector is a respected professional who is in-demand at trade shows, partner training and customer engagements across Latin America and the Caribbean Region.