Tuesday, February 7, 2023
HomeScience/TechnologyMicrosoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698)

Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698)

It’s December 2022 Patch Tuesday and Microsoft has provided fixes for more than 50 vulnerabilities, including a Windows SmartScreen bypass flaw (CVE-2022-44698) that is being exploited by attackers to deliver a variety of malware.


CVE-2022-44698 affects all Windows OS versions starting with Windows 7 and Windows Server 2008 R2.

“The vulnerability has a low complexity. It uses the network vector and does not require any privilege escalation. However, it does need user interaction; attackers must trick a victim into visiting a malicious website through phishing emails or other forms of social engineering to bypass the security feature,” Mike Walters, VP of Vulnerability and Threat Research at Action1, told Help Net Security.

“A threat actor could create a malicious file that would bypass Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features that rely on MOTW tagging – for example, ‘Protected View’ in Microsoft Office . This zero-day has a moderate CVSS risk score of 5.4, as it only helps avoid the Microsoft Defender SmartScreen defense mechanism, which has no RCE or DoS functionality.”

Other fixed vulnerabilities of interest

CVE-2022-41076 is a PowerShell RCE that can be triggered by attackers who do not have elevated privileges but need to take additional actions to prepare the target environment prior to exploitation.

“An authenticated attacker can escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system,” Microsoft explains. Since this scripting tool is often exploited by attackers, everyone should prioritize this solution.

Trend Micro’s Dustin Childs also mentioned CVE-2022-44713, a spoofing vulnerability affecting Microsoft Outlook for Mac, as potentially very dangerous and ideal for phishers.

See also  Why Modern Warfare 2 reboot is too big to fail

“This vulnerability allows an attacker to appear as a trusted user when they should not. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to imagine a scenario where you receive an email that appears to come from your boss with an attachment titled “Executive_Compensation.xlsx.” There aren’t many who wouldn’t open that file in that scenario,” he noted.

SharePoint admins need to fix two RCEs (CVE-2022-44690 and CVE-2022-44693) which thankfully require special permissions and pre-exploit authentication.

Maliciously used drivers signed by Microsoft

In late October, Microsoft was alerted that drivers certified by Microsoft’s Windows Hardware Developer Program were being maliciously used in post-exploitation activities associated with (Cuba) ransomware attacks.

“In these attacks, the attacker had already obtained administrative privileges on compromised systems before using the drivers,” Microsoft noted.

Microsoft’s investigation into the matter revealed that several developer accounts to the Microsoft Partner Center submitted malicious drivers in an attempt to get Microsoft to sign them so they could terminate EDR agents on targeted endpoints.

“We have suspended the merchant accounts of the partners and implemented block detections to protect customers from this threat,” the company said.

“Microsoft has released Windows security updates that revoke the certificate for affected files and suspend the partners’ merchant accounts. In addition, Microsoft has implemented block detections (Microsoft Defender 1.377.987.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activities.

Users and administrators are advised to install the latest Windows updates and ensure that their antivirus and endpoint detection products are up to date and enabled.

See also  Nintendo Direct September 2022 Best Trailers - GameSpot

After releasing these updates and the advisory, Mandiant, Sophos, and SentinelOne published their research on this particular attack route.

“Several different families of malware, associated with different threat actors, have been signed using this process,” said Mandiant researchers, noting that they “identified at least nine unique organization names associated with signed malware.”



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments