How Red Canary gets out in front of vulnerabilities like Follina

For many Americans, Memorial Day is considered the unofficial kickoff of summer. But for scores of people gearing up for outdoor barbecues and parades, a new vulnerability lurked in the shadows ahead of the long weekend—Follina.

Not to be confused with the Italian town it’s named after, this remote code execution (RCE) vulnerability gained notoriety over the 2022 holiday weekend following a discovery by independent security research team, nao_sec. By exploiting the Follina vulnerability, adversaries could gain access to users’ systems and view or delete data, install programs, and create accounts. Further, Follina required little to no user interaction, allowing operators to compromise a victim who merely previewed or opened a Microsoft Office document weaponized to exploit this vulnerability.

By the close of Memorial Day, Microsoft issued CVE-2022-30190. A patch would arrive two weeks later in June. But while Follina made big waves in the headlines, it was just another day at the office for Red Canary thanks to our behavior-based detections.

When things go bump in the night, we bring flashlights

Your cybersecurity program is like a house. And no matter how hard you try to protect it from burglars, they’re constantly looking for new ways to break in. In the case of Follina, think of the bad guys like delivery drivers dropping off a package. Whether you open the front door to accept it or merely peer out the peephole to see who’s there, those delivery drivers can now occupy your attic, take a seat at your dining room table, or rummage through your office filing cabinet. But what if you knew ahead of time to cover that peephole and not to answer the door for those same dubious delivery drivers? Better yet, what if your house was already fortified against these types of break-ins?

At Red Canary, we keep our eyes on vulnerabilities and threats, so we can act quickly on your behalf, identifying the presence of bad guys much like a home security system would. In order to maintain a timely and holistic picture of the evolving threat landscape, we closely monitor both open and closed source reporting, such as looking at publicly available data, examining research from in-house teams, and reviewing unique insights from customers. Using the intelligence collected, we then augment our detection capabilities and provide customers with timely and actionable assessments.

Now that you know how we gather intelligence, let’s talk about what we do with this information.

This just in: a new vulnerability was discovered

As we review information on vulnerabilities of concern, internal teams triage this reporting to determine the potential impact for customers, affiliation with known threats, and the information we need to provide customers with proper context and actionable insights. A vulnerability represents an opportunity for an adversary to do harm—think of it like an unlocked door. Our team has to determine if it’s likely that adversaries will come through that unlocked door. During the investigation, a working group will look at the technical details of the vulnerability, assess the prevalence of exploitation within customer environments, and conduct open and closed source research. They’ll also evaluate any proof of concept (POC) code if it becomes available and use that analysis to boost our detection coverage.

The investigation wraps with an assessment to determine the severity or urgency of the vulnerability at hand. Not all vulnerabilities have the same severity, and sometimes the security community panics about vulnerabilities we don’t observe being exploited. In some cases, we’ll publish a customer-facing Intelligence Insight report based on pervasiveness and potential for adverse impact to help our customers understand why a vulnerability is important (or not) and provide valuable knowledge or otherwise help quell fear, uncertainty, and doubt. Down the road, if we have any substantive updates, like if a patch gets issued, we’ll revisit the Intelligence Insight, ensuring our customers always have access to the latest information.

Foolish Follina, we already had coverage

By now, you know how our team gathers intelligence and how we investigate new vulnerabilities. So let’s put it all together by walking through the real-life example of Follina.

As a reminder, the news of Follina broke on the Friday before a long holiday weekend. While others were packing up and taking off early, our detection engineers caught wind of the vulnerability in the news and quickly confirmed that we could already detect behaviors associated with the exploitation of Follina. This is the benefit of our behavioral-based detection approach: even if the vulnerability changes, adversaries often use the same behaviors during and after exploitation, so we still catch them. By the time our customers were back in the office on Tuesday morning, our detection engineers were already working on additional detection coverage.

In addition to improving our detection coverage, we also published an Intelligence Insight to help customers make sense of this vulnerability. Besides Follina making headlines—one of the top criteria we consider—our Incident Handling team had additional recommendations not called out in other resources. They discovered during the investigation that even slight changes to Microsoft’s recommended implementation could increase the attack surface of the vulnerability. As a result, they wanted to ensure customers had the most accurate and complete picture of available mitigations.

A few weeks later, Microsoft released a patch in their June 2022 release. We went back and updated our insight accordingly, giving customers the information they needed to best protect their environments against the Follina flaw.

Detecting bad behavior—it’s just what we do

Whether it’s Follina or some other vulnerability dominating the security news cycle, Red Canary has your back when it comes to “breaking news” vulnerabilities. Even before a workaround or patch is released, our detection logic is hard at work, catching suspicious behaviors early on in the lifecycle of an adversary, giving you the peace of mind you need when the next big thing bursts onto the scene.