Highlight of the Month: CVE-2022-30190 Zero-Day Vulnerability “Follina”
Bitdefender has been keeping a close eye on recent vulnerabilities disclosed in the last week of May 2022 involving CVE-2022-30190, which threatens remote code execution (RCE) via the Microsoft Support Diagnostic Tool (MSDT).
The danger of this RCE exploit, widely known as “Follina”, leaves the possibility open for an attacker to run code with system privileges, often through the abuse of legitimate, benign Windows applications. The rating is “Critical” because these system tools exist on all versions of Windows and execution can bypass certain safeguards, along with publicly available exploits, the CVSS (Common Vulnerability Scoring System).
Microsoft and CISA (Cybersecurity and Infrastructure Security Agency) have released advisories on mitigation and workarounds. Bitdefender MDR continues to conduct threat hunts across the customer base in the days following the vulnerability disclosure.
Managed Detection & Response (MDR) Insights
Researchers spotted limited use of the “Follina” exploit in south Asia during March 2022, with initial attribution to a Chinese-nexus threat actor; however, the vulnerability has been known since 2021 after several researchers made responsible disclosures to Microsoft.
According to most reporting, samples associated with Saudi Arabian, Russian, and Belarusian attacks were also seen on open-source tools such as VirusTotal. Because of the low complexity of the actual attack and readily available exploits and proofs-of-concept, Bitdefender MDR assesses that there will be more widespread adoption of this exploit by criminal and nation-state actors, with the most likely vector occurring through social engineering attacks such as phishing.
There are no official patches available as of the first week of June 2022; the recommendation is to disable MSDT until the vulnerability is patched. Adversaries will likely take advantage of a potential gap in the defenses of most organizations, so Bitdefender MDR expects to see an increase in attack attempts that leverage this or a combination of related exploits.
Spear phishing attacks are often used as an initial attack vector and ransomware infection is often the final stage of the kill chain. For this report, we analyzed malware detections collected in May 2022 from our static anti-malware engines. Note: we only count total cases, not how monetarily significant the impact of infection is.
Opportunistic adversaries and some Ransomware-as-a-Service (RaaS) groups represent a higher percentage compared to groups that are more selective about their targets, since they prefer volume over higher value.
When looking at this data, remember these are ransomware detections, not infections.
Top 10 Ransomware Families
We analyzed malware detections from May 1 to May 31. In total, we identified 207 ransomware families. The number of detected ransomware families can vary each month, depending on the current ransomware campaigns in different countries.
Top 10 Countries
In total, we detected ransomware from 151 countries in our dataset this month. Ransomware continues to be a threat that touches almost the entire world. Below is a list of the top 10 countries most impacted by ransomware. Many ransomware attacks continue to be opportunistic, and the size of population is correlated to the number of detections.
Top 10 Industries
For our dataset, we have been able to assign 10% of detections to specific industries. Telecommunications services are particularly high as their customers are included within the detections.
Below are the top 10 trojans targeting Android we have seen in our telemetry during May 2022.
Downloader.DN – Repacked applications taken from Google App Store and bundled with aggressive adware. Some adware downloads other malware variants.
Triada.LC – Malware that gathers sensitive information about a device (Device IDs, Subscriber IDs, MAC addresses) and sends them to a malicious C&C server. The C&C server responds by sending back a link to a payload which the malware downloads and executes.
Banker.XJ, YM - Applications that drop and install encrypted modules. This trojan grants device admin privileges, and gains access to manage phone calls and text messages. After deploying, it maintains a connection with the C&C server to receive commands and upload sensitive information.
SpyAgent.DW - Applications that exfiltrate sensitive data like SMS messages, call logs, contacts, or GPS location.
HiddenApp.AID - Aggressive adware that impersonates AdBlock applications. When running for the first time, it asks permission to display on top of other apps. With this permission, the application can hide from the launcher.
Banker.ZF – Applications that disguise themselves as banking apps and can imitate conversation with customer support. When the malware runs for the first time, it asks for permissions to access contacts, microphone, geolocation, and camera. Once the permissions are granted, the malware can receive commands from the C&C server to exfiltrate sensitive data from the phone.
SMSSend.AXW, AYE - Malware that tries to register as the default SMS application on the first run by requesting a consent of the user. If successful, it collects the user's incoming and outgoing messages and forwards them to a Command & Control (C&C) server.
Marcher.AS – Applications that disguise themselves as Play Store applications. The malware tries to ask for accessibility permissions to capture keystrokes and uses the VNC screen recording function to log user’s activity on the phone.
Homograph Phishing Report
Homograph attacks work to abuse international domain names (IDN). Threat actors create international domain names that spoof a target domain name. When we talk about “target” of IDN homograph phishing attacks, we refer to the domain that threat actors are trying to impersonate. You can read more about this type of attack in one of our previous reports.
Below is the list of the top 10 spoofed domains used for phishing campaigns.
About Bitdefender Threat Debrief
The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 150 technology brands have licensed and added Bitdefender technology to their product or service offerings.
This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.
We would like to thank bitdefenders Tyler Baker, Alin Damian, Mihai Leonte, Ioan Marculet, Andrei Mogage, Sean Nikkel, Nikki Salas, Ioan Stan, Marius Tivadar, and Horia Zegheru (sorted alphabetically) for their help with putting this report together.