It's important that organizations deploy last week's "Patch Tuesday" patches as soon as possible. These patches include several critical, high, and important severity vulnerabilities, but more importantly, it addresses 6 vulnerabilities that are known to be under active exploitation by threat actors "in the wild".
This advisory specifically applies to the following:
Remote Code Execution, Elevation of Privilege, and Feature Bypass Vulnerabilities.
Weaponization and exploitation is being reported, and widespread exploitation against unpatched servers and devices is expected to continue.
Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell)
CVE-2022-41040, CVE-2022-41082
Windows Scripting Languages Remote Code Execution Vulnerability
CVE-2022-41128
Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
CVE-2022-41125
Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2022-41073
Windows Mark of the Web (MotW) Security Feature Bypass Vulnerability
CVE-2022-41091
Microsoft’s Patch Tuesday updates address 12 vulnerabilities rated by Microsoft as critical, two vulnerabilities rated by Microsoft as High severity, and 55 vulnerabilities rated by Microsoft as important. Six of the vulnerabilities that were patched include previously disclosed zero-day vulnerabilities that are known to be under active exploitation in the wild. These include the following vulnerabilities that the Ingalls SOC recommends patching ASAP:
The ProxyNotShell vulnerabilities (CVE-2022-41040, CVE-2022-41082) include an Elevation of Privilege vulnerability and a Remote Code execution availability that allows authenticated attackers to achieve remote code execution via PowerShell.
Please Note: Microsoft Exchange is not patched by the Windows Update process. In order to update/patch Exchange Servers, please consult the Microsoft Exchange blog.
CVE-2022-41128 is an RCE vulnerability in the Jscript9 scripting language engine that allows a threat actor to execute arbitrary code with the user’s level of privileges if the user visits specially crafted websites or server shares.
CVE-2022-41125 is an Elevation of Privileges vulnerability that allows attackers to gain SYSTEM privileges. This vulnerability can be used to disable security or antivirus tools, execute credential harvesting software such as Mimikatz, and to enable attackers to move laterally.
CVE-2022-41073 is a Windows print spooler elevation of privilege vulnerability which could enable an attacker to gain system privileges. Most versions of Windows and Windows Server are impacted by this actively exploited issue, and this vulnerability can also be used to disable security or antivirus tools, execute credential harvesting software such as Mimikatz, and to enable attackers to move laterally.
CVE-2022-41091 is a 'mark of the web security bypass' vulnerability. Microsoft warns that an attacker could host a malicious website, send a maliciously crafted email or instant message, or add malicious content to a compromised user-provider content website. A malicious ZIP file has been shown to be able to execute this exploit.
The impact of these vulnerabilities has already been observed “in the wild” by security researchers and Microsoft. Once a targeted system is compromised through one of these vulnerabilities, there is a high risk of an organization's infrastructure backups being corrupted and/or ransomed, as well as a risk of lateral movement by the threat actor.
Update all Microsoft Exchange servers ASAP. Updates for the Exchange CVE’s can be found here: CVE-2022-41040 and CVE-2022-41082.
Please Note: Microsoft Exchange is not patched by the Windows Update process. In order to update/patch Exchange Servers, please consult the Microsoft Exchange blog.
Update any additional Microsoft products to their latest versions. Updates for the other four zero-days can be found here: CVE-2022-41128, CVE-2022-41125, CVE-2022-41073, and CVE-2022-41091.
The Ingalls CTI team is actively engaged in hunting for any of the known indications of compromise at this time regarding the previously listed CVE’s and will continue to closely monitor and develop additional detections as they become available. Please notify your assigned Primary Analyst if you suspect that your organization may be breached or require additional threathunting and analysis.
Implement the above mitigation actions on every Microsoft Exchange Server in your environment. Promptly install updates from Microsoft to all devices in your environment to ensure patching is completed.
Ingalls is dedicated to protecting your network and your information by providing defense-in-depth security through your Managed Detection & Response (MDR) service. As an added layer of defense, Ingalls now offers monitoring and support by a team of live Security Analysts in our Security Operations Center (SOC) 24 hours a day, every day of the year. ‘Round the clock MDR provides extended coverage with continuous analysis, response and escalation so you can have the peace of mind that comes from knowing your network is being monitored in real-time even if your business hours have stopped. Please contact dennis.zanoni@iinfosec.com for more information.