We would like to bring your attention to the following 0-day exploit we have recently become aware of.
Follina – A zero-day Microsoft Office code execution vulnerability that bypasses Microsoft Defender for Endpoint. This vulnerability has been seen to be actively exploited in the wild.
Update: Official Patches have been released
Additional mitigation advice has been released by Microsoft. An official patch has now been released and is available in the June 2022 cumulative Windows updates. Alternatively, stand alone versions are accessible from the following URL:
This exploit uses the Microsoft Word remote template feature to retrieve a HTML file from a remote webserver. The powershell script that is executed utilises ‘msdt.exe’ (Microsoft’s Diagnostic Troubleshooting Wizard – a support tool to aid in troubleshooting), which is executed even if macros are disabled. If the document is saved in RTF format the code will run without even opening the file via the explorer preview tab.
(There is the potential that later versions are affected, more work is needed before all affected versions are identified.)
A Defender for Endpoint query has been written for companies that have the relevant Microsoft package (E5).
DeviceProcessEvents| where ProcessCommandLine contains “msdt.exe”| where InitiatingProcessFileName has_any (@”WINWORD.EXE”, @”EXCEL.EXE”, @”OUTLOOK.EXE”)
At this time there are no specific official patches available, CovertSwarm would advise increased vigilance to be taken in all attached word files into the company.
Exploiting CVE-2023-5044 and CVE-2023-5043 to overtake a Kubernetes Cluster
Delve into the Golden Ticket Attack in Active Directory: a key APT method. Discover its workings, countermeasures, and detection to protect your network.
Uncloaking Radio Frequency Identification (RFID)
Demystify RFID with insights on components, tag types, modulation, and use cases. A concise guide to the intricate world of RFID.
A journey into Badge Life
Explore CovertSwarm’s Badge Life journey from Defcon 30 chaos to Defcon 31 triumphs. Join the hardware hacking adventure in this article!