Hackers are exploiting the Follina 0-day like crazy – What can you do?

Hackers are exploiting the Follina 0-day like crazy – What can you do?

In today's blog Xact IT Solutions is going to talk about Follina, the Microsoft vulnerability through Microsoft Office that's kind of making it really easy for attackers to get to people right now. Read on to find out what it is and what you can start doing to protect yourself.

Follina, what is it, right? It's a vulnerability that exists in Microsoft Office that affects Windows systems. If you're running Office on a Mac, this doesn't pertain to you, but it doesn't mean that everybody should go run out and buy Macs either. This is just the vulnerability de jure that has yet to be patched by Microsoft.

Basically, in a nutshell what happens here is hackers have figured out how to put some code into a Microsoft Office attachment to then gain full control of your system. For example, if you receive an email from somebody or click on a link that directs you to a Word Document, Office Document, that could be Excel or PowerPoint, most of the ones that are seen are coming in through Word. Now, what's happening is that the attachment is coming in. In a lot of cases, the file just needs to be opened.

If you think about this, in Microsoft Office, you usually have... A lot of people have that preview pane on where you can see the email initially and depending on your settings, if you have loaded to preview attachments, or click on the attachment and it automatically previews it, this exploit can be executed at that point. It doesn't require any like, hey, this is notifying you of a macro or anything like that. All those things don't happen with this particular exploit.

In the same token with the preview pane in Outlook, it can happen with the preview pane in Windows. People go around File Explorer in Windows and click around and highlight a file, and that file shows on the right-hand side or wherever the preview pane is on their computer, and it shows you the contents of what's inside the file. If that loads up, you will be victimized by this exploit. That's how crazy it is.

Microsoft is still figuring out how to address and fix this. This going into a week of this being known. Without going into too much technical detail, what is known is that hackers can get pretty much full control of your system from a remote location. This is called a remote attack. They don't necessarily have to be in front of your computer or remote it into your system.

Unfortunately, this can be exploited through a remote execution, and that makes it a little bit easier for the attackers to take control of the system without you really know what's happening. That should be scary. Number one, for most people, the fact that this is so easy and it’s so hard to detect that it's occurring. But the things that they can do once they get control of your system using this exploit are pretty incredible.

They can steal basically your passwords or the hash part of the password that Windows uses to authenticate you through your network and stuff like that. If they steal that and they have that, they can do lots of things with that. They can move to other devices on your network, especially if you're in a business environment. In addition, they are using this to gain further access to systems, so deploying more malware, deploying other tools that they can use to exploit people and companies.

This is only the beginning, folks. Many will see a lot of ransomwares and, more importantly, business email compromises happening as a result of this. Because look, the first thing that these cyber criminals are going to do is they're going to try to get into other people's emails, resulting in them to send out emails to your contacts and the people that trust you in hopes people to click on it. They're not trying to deploy ransomware right now.

They're trying to spread this as quick and, as fast as they can to as many people before Microsoft can get ahead of it. Once they kind of they got their foothold in a good enough number of organizations, you're going to see a rapid amount of ransomware hitting different companies in the coming weeks and months, depending on how this plays out. What can be done today to get rid of this problem or to mitigate it maybe?

Unfortunately, there's not a lot of things out there that can prevent this. Now, there are things that you can turn off under Microsoft's recommendation, which I'll post a link to that in the description below, but these are not tested. In my analysis of what they're recommending to be done, it's going to really hamper what businesses can do, and it's going to slow them down.

It's going to make it so that they cannot open certain documents, or if they use a third-party application that integrates with Word or Outlook. Sometimes these types of changes and requests that Microsoft is making you do break things. If they break things, then businesses can't get things done. It's been reported that some of these changes that Microsoft has advised people think about implementing is that it's actually bricked the system.

It's made the Windows Operating System not boot back up. Right now, it's not really a good idea to start making these changes, unless you have a fully implemented testing process and procedure where you can test this on systems in your environment and make sure that it doesn't have adverse effects on your business applications and systems in general. That's kind of where they are at with the fix on this. There's not a whole lot you can do.

Now, I know at Xact It Solutions Inc., they have gone ahead and disabled specific things that they know that these attackers are using once they get into the system or once a user clicks on that attachment. There are certain things that Xact IT Solutions Inc. know that they're doing, and there are certain things that they can put into place. If you'd like to know more about what the company does, you can certainly reach out.

Xact IT Solutions Inc. also doesn’t allow certain things to happen on the systems like how Microsoft does not recommend, but we know the tools that they're trying to use and do once they get in. They’re disabling access to those or the ability for those to run on the system, restricting them to achieve the full control of what they're trying to do once they try to exploit this through the Microsoft attachment or how they get onto your system. Now, a couple things experts want to mention here.

If you download an attachment that has this vulnerability kind of code execution in it, the good thing is, is that Microsoft does a good job of blocking things that are downloaded from the internet. Always be careful of what you download from the internet. Luckily, you can't just go click on a Word Document on a server somewhere and get exploited. Microsoft typically will block those types of things from running off the internet and sends a message where you must explicitly allow it.

If you are in this timeframe, where being easily actively exploited and there's no patch, you want to be super careful. For instance, only download things from trusted places. Don’t go around the internet and think that "Well, I searched this and it's this company. I know them and I trust them, so I'm going to say that this is okay to run on my system or download this and open it on my system."

You might also want to hold off on that kind of behavior until Microsoft fixes this. The other thing is that   they scrutinize what you get from trusted sources. Emails have been seen to look like encryption however, they’re totally spoofed and fake, but the user thinks "Oh, I got an encrypted email from so and so who I always do business with, and I'm going to click on it." No, you don't want to do that.

Make sure that you're expecting it. Ensure that it's through the normal course of business or a transaction that you're completing with them. If it's possibly something that you're like, "Hey, why am I getting this right now," or "Okay, this makes complete and total sense why I would get this," pick up the phone, call the person, and ask them if they sent the email.

If they didn't, it's more than likely that their email was compromised, leading to attackers using their email to send out these attachments and links to try to exploit you and everyone in their contact database. Another thing that you can do to protect yourself is to turn off preview mode in Outlook, turn off preview mode in File Explorer. These steps are some ways that you can take action to ensure that this exploit doesn't run on your system. And with, that’s the update.

If you have any questions, please contact us at www.xitx.com.