Welcome to DR's note, your weekly dose of knowledge from Circuit Stitch.

 Today we will talk about Follina 

                What is Follina?  Follina or CVE-2022-30190 is a zero-day exploit that uses Microsoft Word documents to execute Powershell code on your computer.  In the original document, the file has other hidden files inside of it by the use of compression, it is a .rar file.  So that once the document file is executed or run, you would reach out to a website to grab an HTML file.  This file would then run automatically, it would start a hidden command prompt window.  This hidden window would shut down the msdt (Microsoft Diagnostic Tool) program, it would then go through looking for a certain file that is encoded.  It would then save that file, decode that file, bring that file to the current directory, and execute a file called rgb.exe.  At the moment the rgb.exe file is unknown, meaning the infosec community isn’t sure what this file did, but what we do know is this is a form of RCE.

                 What is RCE?  RCE stands for remote code execution, it basically means that an attacker can create a file or program which I will refer to in the rest of this as a payload.  The payload will then be transferred over to someone else’s computer via any number of ways; i.e. email, USB stick, download, etc.  Once the payload is on the target system, it will need to be executed for the RCE to take effect.  Now RCE can be a lot of things, once it’s executed it could create a shell that gives the attacker access to your machine, it could execute ransomware, could add your machine to a bot-net (a future DR note), a bitcoin miner. Suffice it to say a lot can happen to your machine if it is run.

                 Do we need to worry about Follina?  Yes and no, at the time of writing this Microsoft is saying that it will be detected by Defender (Microsoft’s anti-virus) and will be labeled as “Mesdetty” and “Mesdetty Launch”.  Now let me explain why you should and shouldn’t worry about this.  Like all modern cyber threats, you should have concern enough to keep an eye out for it, but as of right now it doesn’t seem to be much of a threat because it hasn’t been used against anyone.  Not saying it won’t be used in the future but currently, it was pointed out that at the time of writing this no one has been a victim of this attack. 

                If you want to know more about Follina or CVE-2022-30190, check out my sources at the bottom of the email.  Also if you have any questions or if you have any topics you’d like me to discuss on a future DR note, please email me and let me know.  I hope everyone has a great week and Be Awesome!