MS Word vulnerability could lead to stealing your bitcoins

[DdmrDdmr]

Is it a real risk, or an exaggeration?

It seems to me like a bit of both … The company Wallet Guard has issued a warning on a vulnerability they’ve detected in MS Word named "follina". Wallet Guard has classified the vulnerability as critical (0-day vulnerability), although Microsoft seems to downplay the scale, and does not award it the same classification by their standards.

The exploit seems to allow a hacker to take full control of your windows environment, simply by downloading a malicious .doc, .docx or .rtf file onto your environment. You don’t even need to open the document itself for the exploit to be set in motion. Apparently, a said malicious document can exploit MS Word template features, and execute external html or java code.

But the added danger seems to reside in yet another vulnerability tied to MSDT (Microsoft Support Diagnostic Tool), which theoretically allows MS to gain remote control of your environment to perform support (something we shouldn’t even want in our system per se).
MSDT requires that you enter a password to grant remote access, but apparently, a vulnerability can be exploited to bypass the password requirement, thus allowing a hacker to access your system.

This is, according to Microsoft, the way you can disable MSDT URL protocol:

1.   Run Command Prompt as Administrator.
2.   To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3.   Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

The above caught my attention whilst reading an article on the Spanish Media, that literally stated that a Microsoft vulnerability could allow your bitcoins to be stolen. The possibility of course stands, if someone gains remote control to your environment, and you’ve got critical information lying around in files (i.e. seeds), although this is not something that specifically targets crypto, but that opens a potential door to multiple forms of wrongdoing.

On the other hand, there don’t seem to be any reports of this exploit been used by hackers to date, either because the case is too fresh, or not that easy to become acquainted with and exploit.

All in all, just in case, I’ve disabled the MSDT URL protocol…

See:
https://twitter.com/wallet_guard/status/1531848479911432192
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

[1715411733]

1715411733

[1715411733]

1715411733

[1715411733]

1715411733

[1715411733]

1715411733

[NeuroticFish]

I don't know if only LibreOffice does this or Word too, but I've seen somewhere macros being blocked because the file came from the internet.
If Word does that nowadays, then the risk is not so big.
I don't know whether Windows Defender also "takes a look" there.

So unless the user disables the security nets, there's a chance he may be safe. But somebody using Office more than I do should confirm whether it's the case.


However, disabling that backdoor is a very good catch, no matter whether the MS Office vulnerability is big or small.

[Maus0728]

Question!

Should I disable it even though I do not have any Microsoft office/products installed? Also, on my desktop which was primarily used for academic purposes, I have tons of word documents created in MS word, am I already compromised?

Thanks for sharing by the way!

[Rizzrack]

I don't know if only LibreOffice does this or Word too, but I've seen somewhere macros being blocked because the file came from the internet.
If Word does that nowadays, then the risk is not so big.

It has nothing to do with macros unfortunately. They run commands using an instance of MSDT and instead of Troubleshooting they are Troublecreating...
Network Chuck explained some things about this vulnerability if you wanna check it out: https://www.youtube.com/watch?v=3ytqP1QvhUc&t=116s

This is, according to Microsoft, the way you can disable MSDT URL protocol:

1.   Run Command Prompt as Administrator.
2.   To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3.   Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

Thanks for the info !

Question!

Should I disable it even though I do not have any Microsoft office/products installed? Also, on my desktop which was primarily used for academic purposes, I have tons of word documents created in MS word, am I already compromised?

Thanks for sharing by the way!

This does not mean everyone who has office installed can be hacked in 2 seconds, luckily. You would need to download an infected .doc file and open it. Then you're screwed !
Try the registry fix mentioned by Ddmr² and as always... don't download random stuff from random sites or unknown emails !

[DdmrDdmr]

<…>

Even if you don’t currently use MS Office products, I’d disable the MSDT URL protocol to disable that vulnerable backdoor on your system, as mentioned by others. The MS article in the OP indicates how to re-enable it if necessary for whatever reason.
I expect the MS blog entry to be updated on behalf on Microsoft with any novelties related to this exploit, so it may be worth checking it every now and then.

There’s an example video here of the first part of the combined set of vulnerabilities, showing how downloading a word file can lead to the file launching "whatever" without even opening the file. The trick though may be that it requires the file to be at least previewed to some degree on the file explorer, but simply browsing a directory with preview set can lead to that.

See:
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-office-zero-day-exploited-in-attacks/
https://twitter.com/wdormann/status/1531259406624620544 (quite a bit of additional info on this Twitter thread).


Note: This twitter thread is also interesting to read through, as a complementary read to create awareness. It’s a couple of months old, and bears a different set of attack vectors, but also pivots around exploiting Word (albeit in a different way):
https://twitter.com/wallet_guard/status/1509196531202932736

[hugeblack]

The exploit seems to allow a hacker to take full control of your windows environment, simply by downloading a malicious .doc, .docx or .rtf file onto your environment. You don’t even need to open the document itself for the exploit to be set in motion.

Does this include all file extensions that are opened by Microsoft Office applications or just the extensions above?
Many people think that if the malicious program does not reach the permissions of the core (you install the program), the possibility of being hacked is low.

In general, even if the news above is true, the hacker needs to know the password, which is an additional task, so I do not expect it to be used randomly.

Any way, you should store your coins in cold storage.

[NeuroticFish]

You don’t even need to open the document itself for the exploit to be set in motion.

This would be quite difficult. And from what I've seen in the YouTube video from @Rizzrack you do have to open it. (Thanks man, it's a very good video.)

Does this include all file extensions that are opened by Microsoft Office applications or just the extensions above?

This is a very good question.
Modern Word documents are zip files. But same goes, for example, to Excel files too. The malicious file is a cleverly altered Word document, but I don't see why the same thing would not work with any (zip) Office file.

But, as you can see at 7:39 there ( https://youtu.be/3ytqP1QvhUc?t=459 ), the hearth of everything is

Code:

<script>location.href = msdt:

where the hacker gives all sort of parameters to msdt exe, which runs them all without questioning (including, sooner or later, cab file/installer, they say).



For now I've removed that entry from my registry, but I fear that this is such a wide opportunity they'll very fast find other "servicing" programs they can run in a similar way.

[Smartvirus]

Is this doc, .docx or .rtf file supposedly the name of the document file in question? If not, any means by which we could identify such file or document?
Agina, having a system safety system up might be another to tackle the downloading and installation of applications from unknown source on your system.

It is preeminent that, users be careful of what app or file you click and download while browsing the Web. Not all assisted functions and updates on a site is needed. You never can possibly tell of an impending danger at all times and as such, its better you avoid what you don't tend to comprehend.

This further raises the alarm on why you shouldn't save your keys on electronic devices and even on Google clouds as, the chances of some malicious third party network coming up and provide some vulnerability to the system is always possible.

[DdmrDdmr]

Does this include all file extensions that are opened by Microsoft Office applications or just the extensions above?

Those are the ones I’ve seen explicitly referenced so far.

In general, even if the news above is true, the hacker needs to know the password, which is an additional task, so I do not expect it to be used randomly.

It seems that the password requirement for the MSDT can be bypassed by exploiting a given vulnerability.

<…>

The video brilliantly displays a case use created by @John to demonstrate how the exploit can be taken advantage of. He does open the word document in the video, but this tweet claims that it can be activated in preview mode on a file explorer, which is a soft open in a sense.

<…>

The issue is not really down to one file name, but rather more to the whole set of possibilities it opens.
We need to stay tuned to see what solutions are set in place, likely leading to some security upgrade on MS’s behalf.

[Lucius]

As stated in the OP, this vulnerability is not just about stealing Bitcoin but about any digital information you store on your computer - and it is known that private keys and seed should not be stored on a computer, especially not in unprotected form as plain text. At risk here are those who do not have high security standards and are negligent in most things they do - but since it is very easy to disable this attack, I see no reason why we should not prevent something bad from happening.

For those who have Windows in their local language and have never used Command Prompt, I suggest typing CMD into a Windows search engine, or translating Command Prompt into your local language before searching. Of course, copy the commands without quotes, and you can paste them by pressing CTRL + V.

[dkbit98]

Is it a real risk, or an exaggeration?

Using any microsoft programs like wiNd0ws os and ms office package with words is always a risk and they are known to be full of bugs, and most exploits work only in wiNd0ws.
Instead of doing various gymnastics to protect from next dangerous win exploit, it's much better to switch to Linux operating system and some alternative to ms words.
Most people are using Libre Office as open source alternative but if you want better compatibility with ms formats than I would suggest that you try OnlyOffice that is also free, and it works in all operating systems.

[ABCbits]

Is it a real risk, or an exaggeration?

It affect Windows 7-11 and Windows Server 2008-2022 with severity score 9.3[1], i'd say it's real risk. There are already reports hackers exploit that vulnerability[2-3], although i don't know whether it's true or propaganda.

[1] https://www.cvedetails.com/cve-details.php?t=1&cve_id=CVE-2022-30190
[2] https://www.securityweek.com/chinese-threat-actors-exploiting-follina-vulnerability
[3] https://techcrunch.com/2022/06/01/china-backed-hackers-are-exploiting-unpatched-microsoft-zero-day

[aysg76]

Question!

Should I disable it even though I do not have any Microsoft office/products installed? Also, on my desktop which was primarily used for academic purposes, I have tons of word documents created in MS word, am I already compromised?

Thanks for sharing by the way!

Not really if you haven't downloaded any of the malicious file from internet that could give them access to your files but for safety reasons if you have sensative information on those documents then uninstall it as the hackers are bypassing the security protocols through this vulnerability and have full access of your system environment which could be risky.

For this reason, the recommendations it offers are radical and begin with “discontinue use of Microsoft Word” until this vulnerability is removed. They also recommend not opening files with the extensions mentioned and preferring to use PDF or work with Google Docs.

As stated in the OP, this vulnerability is not just about stealing Bitcoin but about any digital information you store on your computer - and it is known that private keys and seed should not be stored on a computer, especially not in unprotected form as plain text. At risk here are those who do not have high security standards and are negligent in most things they do - but since it is very easy to disable this attack, I see no reason why we should not prevent something bad from happening.

Which is why it's said to backup them on offline storage like metal plates and steel washers are the best option as if anything is comprised your wallets seeds are not hacked and your funds are safe on non-custodial or hardware wallets but you must be extra cautious with them also as there have been security breaches and phising attempts in them also.

Those are the ones I’ve seen explicitly referenced so far.

Yeah according to the article thes file extensions are exploiting at the time with this vulnerability but without opening the document also is much risky as you could download these malicious files by mistake but keep an eye before clicking on any link or downloading the files on system.

It seems that the password requirement for the MSDT can be bypassed by exploiting a given vulnerability.

They already have buffer in order to have the remote access of any system to make changes of which the hackers are taking advantage and without any password they are having the access of the system.These are the things they need to have look upon and need to have some security breaches be possible with having one access control point with them always.

[Queentoshi]

The above caught my attention whilst reading an article on the Spanish Media, that literally stated that a Microsoft vulnerability could allow your bitcoins to be stolen.

Anything that poses a real threat to my bitcoin is not exaggerated to me and should not be taking lightly. Thank you so much for sharing this. Regardless of the fact that I don't have any crypto related documents on my computer, I will still go ahead to disable the MSDT URL protocol, because I may decide to start using it for crypto related activities in the future and may forget about this vulnerability, so I better do it now.

On the other hand, there don’t seem to be any reports of this exploit been used by hackers to date, either because the case is too fresh, or not that easy to become acquainted with and exploit.

This is fresh, but as you came across the article, so did others who may develop and seek to exploit others through this.

[Dunamisx]

The exploit seems to allow a hacker to take full control of your windows environment, simply by downloading a malicious .doc, .docx or .rtf file onto your environment

Downloading malware attack has been one of the unavoidable route of entry by the hackers to launch their attacks on users, we have many reasons that could prompt us on making download while surfing online but the security consciousness of our asset from the device used and the apps should be our major concern, how do we now get safe in doing this? in the link provided below, one must learn how to protect yourself against malware attack because most causes can be traced to our own personal lapses in the areas of what we do online in which could turn to be a surprise attack beyond our expectations.

[cryptoaddictchie]

This isnt good news. Thanks OP for relaying it here, Im sure its not gonna be easy for hackers and I supposed Microsoft have gotten the news and render any possible statement. Too bad the owner seems to not care on cryptocurrency stance.

Has anyone already been victim of the said issue? Been trying to check on social if there are already been compromise or stolen bitcoin or crypto for this case.

Needed to know what to do for my security.

[Pmalek]

This does not mean everyone who has office installed can be hacked in 2 seconds, luckily. You would need to download an infected .doc file and open it. Then you're screwed!

You don't necessarily have to open it. Previewing it is enough to run the script according to the twitter posts DdmrDdmr shared.
The same recommendations that have been repeated many times still apply in this case:

• Don't download unknown files from the internet.
• Don't even download files from friends and family without checking with them what it is that they are sending.
• Even if you know what it is, if it isn't essential to your work and life - you don't need it.
• Don't save your private information in digital formats on your computer or online accounts. That includes seeds and private keys.
• Keep your crypto away from your every-day computer. Keep your work away from your crypto and your every-day computer.
• If one of your computers gets infected, not everything you have and do will be considered to be compromised.

[LoyceV]

You don’t even need to open the document itself for the exploit to be set in motion. Apparently, a said malicious document can exploit MS Word template features, and execute external html or java code.

Lol, say what? A random file can get full access and all it has to do is being copied? How are people still using software from this very large corporation?
Who are those brave people using Bitcoin wallets on Windows? I don't even dare to enter my email password on it.

Keep your crypto away from your every-day computer. Keep your work away from your crypto and your every-day computer.

This is probably the best solution. If you really insist on using Windows, don't use it for crypto. Or banking. Or email. Or work. Eventually, you'll notice you don't use it at all anymore

To quote myself:

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

[Pmalek]

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

Like many others, I have to admit that I am guilty of that myself. Windows is all I have ever used since I was a child and I have gotten used to it so much. The thing is, if I had negative experiences, hacks, and stuff like that, I wouldn't hesitate to try something else. But I haven't. I am generally quite cautious and I use different devices for different things. Even stuff like USB devices don't get shared among my laptops. I treat almost all emails as spam and fraudulent and have no need to experiment with unknown software or even mobile apps.

Maybe when things calm down on a personal level I can take the time to start researching Linux and setting it up on one of my computers. I don't consider it a priority at the moment.   

[aysg76]

Like many others, I have to admit that I am guilty of that myself. Windows is all I have ever used since I was a child and I have gotten used to it so much. The thing is, if I had negative experiences, hacks, and stuff like that, I wouldn't hesitate to try something else. But I haven't. I am generally quite cautious and I use different devices for different things. Even stuff like USB devices don't get shared among my laptops. I treat almost all emails as spam and fraudulent and have no need to experiment with unknown software or even mobile apps.

Maybe when things calm down on a personal level I can take the time to start researching Linux and setting it up on one of my computers. I don't consider it a priority at the moment.   

Using Windows is not risky if you are taking all the precautionary steps like in your case but most of the people around globe use Windows only and if you check out the reports you will find most hacks and scams are done to window users only as it's not as good as Linux when it comes to security perspective.In your case the thing is different like you are not sharing any of the device plug ins and not having cryptos on your computer but for many they are storing funds on Metamask and download malicious files and click on links that made these hacks possible because they were ignorant enough to get their funds compromised.

So you can keep using the same if you are having this  much knowledge about the security and always keep your funds away from your system which is best possible option.

[Welsh]

For anyone that hasn't actually changed from Windows to Linux, who has tried in the past, but couldn't get along with it. Common distributions like Ubuntu are now incredibly similar to Windows. The change over would be somewhat seamless.

The only problem you're likely to run into is installing software, but since a lot of places are now offering packaged executables, that don't require any terminal know how, but a simple check for allowing as a executable, and double cliking it, the process is becoming more simple. Obviously, this has its own security risks, so obviously verify, and all that.

For any software that requires a bit of terminal work, the process is usually similar. For example, downloading a .deb, installing via dpkg -i, then installing any dependencies which it should flag up.

Since you probably aren't going to be constantly installing software, setting up your machine over a weekend should be enough, and then the repo's will likely be added to Ubuntu, and will update through the GUI updater or alternatively the terminal.

What I'm saying is, many years ago making the switch to Linux was troublesome, but Linux has come a long way for less technical users to actually use. I've not had a Windows machine for years now, completely converted, including a gaming machine. I won't be going back either.

Lol, say what? A random file can get full access and all it has to do is being copied? How are people still using software from this very large corporation?
Who are those brave people using Bitcoin wallets on Windows? I don't even dare to enter my email password on it.

Don't know about you, but a file that doesn't even need to be technically executed by the user, and simply copied onto their machine is what I'd call critical. I guess Microsoft might be downplaying it because the attack surface is rather low, and hasn't been widely distributed, but that could change over night.

Although, it still comes down to how the user uses the software, rather than it inherently being insecure, since the user would have to download that .doc in the first place. However, it's a rather sly one, as most people wouldn't even think twice about a .doc.

• If one of your computers gets infected, not everything you have and do will be considered to be compromised.

Yeah, but obviously if the computers are connected in any way, i.e via using the same USB's or through the same network, they should ideally be considered compromised, even if they aren't proven to be.

[dkbit98]

Who are those brave people using Bitcoin wallets on Windows? I don't even dare to enter my email password on it.

Most of them are using wiNd0ws and some of them are even bragging with that, because it's not ''hard'' to use like Linux, and they don't care if OS is spying them non-stop
If someone is so addicted to win OS, better try something called windows Ameliorated, that has all spyware and bloatware removed.
However, for everyday use and for Bitcoin wallets I would always suggest Linux OS.

For anyone that hasn't actually changed from Windows to Linux, who has tried in the past, but couldn't get along with it. Common distributions like Ubuntu are now incredibly similar to Windows. The change over would be somewhat seamless.

I would personally avoid recommending Ubuntu to masses who want to switch from gates OS, even if it is better option than wiNd0ws OS, there are better Linux alternative.
Maybe best option is Linux Mint or Debian that are rock stable, they have familiar style for switching to Linux, and most Bitcoin wallets works perfectly for them.
Most of them are coming with preinstalled alternative Office package with Word.

[NeuroticFish]

For anyone that hasn't actually changed from Windows to Linux, who has tried in the past, but couldn't get along with it. Common distributions like Ubuntu are now incredibly similar to Windows. The change over would be somewhat seamless.

I would personally avoid recommending Ubuntu to masses who want to switch from gates OS, even if it is better option than wiNd0ws OS, there are better Linux alternative.
Maybe best option is Linux Mint or Debian that are rock stable, they have familiar style for switching to Linux, and most Bitcoin wallets works perfectly for them.
Most of them are coming with preinstalled alternative Office package with Word.

I am mainly a Windoze user and I cannot give it up on this laptop because it's expressly needed for my work, but I've put Linux Mint to my wife's laptop and it's basically straightforward.
On the other hand, I've tried both Debian and Ubuntu on WSL and I didn't find them as friendly as Mint. So I agree with @dkbit98 on this.
And yes, most of the tools are similar. I didn't get to see yet if Only Office also works there.

[LoyceV]

On the other hand, I've tried both Debian and Ubuntu on WSL and I didn't find them as friendly as Mint. So I agree with @dkbit98 on this.

Over the years, I tend to switch once in a while. You may want to add Kubuntu to the list too.

[Pmalek]

...if you check out the reports you will find most hacks and scams are done to window users only as it's not as good as Linux when it comes to security perspective.

It's not just that Windows is not as good and as secure as Linux, Windows has a bigger userbase than all the other operating systems combined. That means a greater chance for effective malware distribution and infection. It's also important to consider what kind of crowd is attracted to Linux and who uses Windows. Linux is a OS that is not that user-friendly as Windows. So you would expect that it's used by those who are more experienced. Developers, technology enthusiasts, security experts, privacy advocates... That's not your usual target group that will get phished, open unfamiliar emails and attachments, or install fake software. Those who do that use Windows. 

In your case the thing is different like you are not sharing any of the device plug ins and not having cryptos on your computer but for many they are storing funds on Metamask...

My crypto is not on exchanges and desktop wallets. It's on a hardware wallet. But I don't use that machine for other activities.   

[NeuroticFish]

And yes, most of the tools are similar. I didn't get to see yet if Only Office also works there.

Use LibreOffice instead. OpenOffice isn't actively developed.

I do use LibreOffice. I wanted to give Only Office (not OpenOffice) a try since they claim to offer better compatibility with MS Office. I've read about it in this topic and I wan to see if it's indeed good.
(However, using actual MS Office for free in the browser is also an option).

Debian isn't suitable for beginner (those who never use/give up using Linux) anyway. Excluding non-free driver by default with lots of download option (CD, DVD, different DE, etc.) would give beginner hard time.

Agreed.

[dkbit98]

Debian isn't suitable for beginner (those who never use/give up using Linux) anyway. Excluding non-free driver by default with lots of download option (CD, DVD, different DE, etc.) would give beginner hard time.

There is Linux Mint Debian edition and regular user won't even notice any difference between that and regular Linux Mint that is based on Ubuntu.
I would argue that Ubuntu is not beginner friendly for anyone who wants to switch from wiNd0ws, but there are other options like Zorin OS and many others.
There is even one LinuxFX win clone (made by Rafael Rachid from Brazl) that looks and feels almost identical like win11 spycrap and it's free:
https://www.linuxfx.org/

[cheezcarls]

Is it a real risk, or an exaggeration?

It seems to me like a bit of both … The company Wallet Guard has issued a warning on a vulnerability they’ve detected in MS Word named "follina". Wallet Guard has classified the vulnerability as critical (0-day vulnerability), although Microsoft seems to downplay the scale, and does not award it the same classification by their standards.

The exploit seems to allow a hacker to take full control of your windows environment, simply by downloading a malicious .doc, .docx or .rtf file onto your environment. You don’t even need to open the document itself for the exploit to be set in motion. Apparently, a said malicious document can exploit MS Word template features, and execute external html or java code.

But the added danger seems to reside in yet another vulnerability tied to MSDT (Microsoft Support Diagnostic Tool), which theoretically allows MS to gain remote control of your environment to perform support (something we shouldn’t even want in our system per se).
MSDT requires that you enter a password to grant remote access, but apparently, a vulnerability can be exploited to bypass the password requirement, thus allowing a hacker to access your system.

This is, according to Microsoft, the way you can disable MSDT URL protocol:

1.   Run Command Prompt as Administrator.
2.   To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3.   Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

The above caught my attention whilst reading an article on the Spanish Media, that literally stated that a Microsoft vulnerability could allow your bitcoins to be stolen. The possibility of course stands, if someone gains remote control to your environment, and you’ve got critical information lying around in files (i.e. seeds), although this is not something that specifically targets crypto, but that opens a potential door to multiple forms of wrongdoing.

On the other hand, there don’t seem to be any reports of this exploit been used by hackers to date, either because the case is too fresh, or not that easy to become acquainted with and exploit.

All in all, just in case, I’ve disabled the MSDT URL protocol…

See:
https://twitter.com/wallet_guard/status/1531848479911432192
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

I usually do not use MS Word a lot, but this is truly something new to me regarding a possibility for our Bitcoins to get compromised. These hackers are getting smarter trying to do something new and fresh. While we are learning from our mistakes and doing whatever it takes to prevent ourselves from getting scammed or hacked, these hackers are also learning about their failed attempts too. I'll be doing this to prevent my BTCs from getting compromised in the future in this method, as well as being careful in downloading these so-called malware DOC files from the internet.

[Oluwa-btc]

Thank you for sharing Ddmr Ddmr, with all that said, I think those who save their keys directly in them system will fall prey fall for this shit hmm ? Reasons to why it's never a good decision to save private keys in your mobile phone's or system.
But how can someone know it's bad or harmful?  How can you detect it ?
With Anti-virus in your system, can it really work ? Or should I say can Anti-virus be aware of such or detect such ?

[DdmrDdmr]

<...>

I’d read through the blog entry to see what suggestions may be applicable besides disabling the MSDT URL Protocol. The blog, although dated 30/05/2022 is being updated every now and then, and it does provide some specific MS Defender for those that use it. Not sure how what capabilities other antiviruses may provide in terms of prevention and detection regarding this issue.

The blog also suggests switching-on either MS Office Protected View or Application Guard for Office. Nevertheless, the former will treat office docs in read-only mode which is not going to be really very useful in general terms, and the latter seems to be for organizations that have MS 365 E5, which is going to leave out regular users and users of other MS Office versions.

The blog additionally references this MS entry which is also being updated every now and then, and that currently still indicates that "Microsoft is working on a resolution and will provide an update in an upcoming release.", with no associated time estimate.

In the interim, one may need to be more certain about the nature of the documents he opens (i.e. self-created documents should be reliable; external documents, as usual, should be subject to more scrutinity).

[Lucius]

On the other hand, there don’t seem to be any reports of this exploit been used by hackers to date, either because the case is too fresh, or not that easy to become acquainted with and exploit.

It seems that attacks related to this vulnerability were noticed a month ago, and according to the information gathered, it seems that the vulnerability was first used by Chinese hackers. In addition to the method you mentioned in the OP, the article says that there is an unofficial patch, although this is not something I would personally apply.

As with any new zero-day, Follina is already being exploited in the wild and security researchers from Proofpoint have discovered that the Chinese state-sponsored threat actor TA413 has been using the vulnerability to target the international Tibetan community.

In a tweet (opens in new tab), the company’s researchers explained that TA413 is using malicious URLs to deliver ZIP files that contain weaponized Word documents that exploit Follina. At the same time, MalwareHunterTeam (opens in new tab) also found Word files with Chinese filenames that are currently being used to install infostealers.

It’s worth noting that attacks exploiting Follina were spotted over a month ago when sextortion threats and invitations to do an interview with Sputnik radio were both used as lures according to BleepingComputer.

[Oluwa-btc]

@Lucius they seems to have been exposed since May 27 according to Wallet Guard on Twitter.

They are state-sponsored North Korean hackers famous for attacking Sony, large banks, major DDoS attacks against South Korea, and WannaCry. Yes, the same WannaCry ransomware attack that crippled the NHS in 2017.

I don't know how Valid but take a good look at the sources from Wallet Guard Twitter, well expanciated!


https://twitter.com/wallet_guard/status/1531848479911432192?t=LxOHhHxddxJTownuDrj61A&s=19

https://twitter.com/wallet_guard/status/1509196531202932736?t=8NdgSFO1DUaUFo3SY_D-zQ&s=19



https://twitter.com/wallet_guard/status/1531848493265993731?t=en6MOyXHr3CnIv6NAMDElA&s=19


 Wallet Guard recommendations:
- Discontinue use of Word for the time being
- Utilize Google Docs
- Disable MSDT (see next tweets)
- Utilize PDF instead of vulnerable extension types