• News
  • Security
  • Products
  • About Seqrite
Blogs on Information Technology, Network & Cybersecurity | Seqrite Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Cybersecurity • Microsoft • Uncategorized • Windows Update  /  Threat Advisory: CVE-2022-30190 ‘Follina’ – Severe Zero-day Vulnerability discovered in MSDT
Threat Advisory: CVE-2022-30190 ‘Follina’ – Severe Zero-day Vulnerability discovered in MSDT
03 June 2022

Threat Advisory: CVE-2022-30190 ‘Follina’ – Severe Zero-day Vulnerability discovered in MSDT

Written by Seqrite
Seqrite
Cybersecurity, Microsoft, Uncategorized, Windows Update
Estimated reading time: 2 minutes

A Zero-day Remote Code Execution Vulnerability with high severity has been identified as CVE-2022-30190 “FOLLINA” in Microsoft Windows Support Diagnostic Tool (MSDT).

MSDT is a tool present on Windows version 7 and above and is used for diagnosis of problems in applications such as Ms Office Documents when any user reports problem to Microsoft support.

Why is CVE-2022-30190 “Follina” vulnerability so dangerous?

This diagnostic tool (MSDT) is usually called by applications such as Ms Office Documents which allows remote code execution with the privileges of the calling process when called via MSDT URL Protocol. An attacker can exploit this vulnerability to run any arbitrary code.

This vulnerability has been exploited in wild with the use of Ms Office Documents distributed via email to execute malicious payloads (For ex: Turian Backdoor, Cobalt Strike etc.). Initially a doc sample named as VIP Invitation to Doha Expo 2023.docx (7c4ee39de1b67937a26c9bc1a7e5128b) used webdav to download CobaltStrike.

Chinese APT group ‘TA413’ have exploited this Vulnerability in wild which download backdoor as payload via MSDT URL Protocol.

Below figure shows the base64 encoded html file downloaded by DOC(SHA: 000c10fef5a643bd96da7cf3155e6a38) from hxxp://212[.]138.130.8/analysis [.]html

Following figure shows the decoded data:

When we decoded base64 encoded data it can be clearly seen that svchosts.exe which is the backdoor is downloaded via MSDT URL PROTOCOL

Mitigation of “Follina”

 Disabling MSDT URL protocol:

  1. Execute the following command as Administrator to back up the registry key –

“reg export HKEY_CLASSES_ROOT\ms-msdt filename“

  1. To delete the registry key, execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

For restoring the registry key execute the following command as Administrator – “reg import filename”

How does Seqrite protect its customers from CVE-2022-30190 – Follina?

Seqrite protects its customers against this vulnerability in MSDT via following detections: –

  • Backdoor.Turian.S28183972
  • CVE-2022-30190.46635
  • CVE-2022-30190.46634
  • CVE-2022-30190.46624
  • CVE-2022-30190.46623

 Previous PostUpdate security certificate to install Seqrite product successful...
Next Post  CVE-2022-30190: Zero-day vulnerability “Follina” in MSDT expl...
Seqrite

About Seqrite

Follow us for the latest updates and insights related to security for enterprise networks. Subscribe to our newsletter to stay...

Articles by Seqrite »

Related Posts

  • WordPress Site Security Alert: Bookly Plugin Vulnerability Discovered and Patched

    March 29, 2023
  • Expiro: Old Virus Resurfaces to Cast New Challenge

    February 27, 2023
  • Calling from the Underground: An alternative way to penetrate corporate networks

    January 11, 2023

No Comments

Leave a Reply.Your email address will not be published.
Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts
  • 5 Security measures you should take to protect your organization’s network 5 Security measures you should take to protect your organization’s network August 11, 2017
  • Benefits of having Intrusion Prevention/Detection System in your enterprise Benefits of having Intrusion Prevention/Detection System in your enterprise February 15, 2018
  • Uncovering LockBit Black’s Attack Chain and Anti-forensic activity Uncovering LockBit Black’s Attack Chain and Anti-forensic activity February 1, 2023
Featured Authors
  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..
  • Jayesh Kulkarni
    Jayesh Kulkarni

    Jayesh is working as a Security Researcher for a couple of years. He likes to...

    Read more..
Stay Updated!
Topics
apt (11) Cyber-attack (32) cyber-attacks (56) cyberattack (11) cyberattacks (12) Cybersecurity (301) cyber security (26) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (103) Enterprise security (15) EPS (10) Exploit (12) firewall (11) hackers (11) IoT (10) malware (64) malware attack (23) malware attacks (12) MDM (25) Microsoft (14) Network security (18) Patch Management (12) phishing (18) Ransomware (60) ransomware attack (29) ransomware attacks (30) ransomware protection (12) security (10) Seqrite (26) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (15) windows (11)
Products
  • Seqrite MSSP Portal
  • HawkkScan
  • HawkkProtect
  • HawkkHunt XDR
  • HawkkEye
  • HawkkEye Endpoint Security Cloud
  • HawkkEye mSuite
  • HawkkEye Workspace
  • Endpoint Security (EPS)
  • Unified Threat Management
  • Antivirus for Server
  • Antivirus for Linux
Resources
  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies
About Us
  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom
Archives
  • By Date
  • By Category

© 2022 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.