Windows zero-day being used in privilege escalation attacks, CISA warns

Windows zero-day being used in privilege escalation attacks, CISA warns

Image:
Windows zero-day being used in privilege escalation attacks, CISA warns

Immediate patching is needed for exploited vulnerability, it says

The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its catalogue of Known Exploited Vulnerabilities (KEV) to include a vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS) that is currently under active exploitation by attackers.

Microsoft fixed the high-severity bug, tracked as CVE-2022-22047, as part of this month's Patch Tuesday updates.

Because the vulnerability was exploited in attacks before a patch was made available, the company categorised it as a zero-day bug.

In its security advisory, Microsoft explained that "an attacker who successfully exploited this vulnerability could gain SYSTEM privileges."

It also mentioned that the Microsoft Security Response Center (MSRC) and the Microsoft Threat Intelligence Center (MTIC) were the ones who uncovered this zero-day vulnerability.

The weakness has been assigned a CVSSv3 score of 7.8/10. Tenable said it is a vulnerability that is most likely to be used by attackers after first gaining a foothold in an organisation.

"This type of vulnerability is likely to have been used as part of post-compromise activity, once an attacker has gained access to their targeted system and run a specially crafted application," it said.

Kev Breen, director of cyber threat research at Immersive Labs, said the most important aspect of this flaw is that it gives the attacker the ability to escalate their permissions to SYSTEM level.

"With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools. With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly," he added.

CVE-2022-22047 is a kind of vulnerability that, according to the Zero Day Initiative, is often paired with a code execution weakness, generally a specially crafted Office or Adobe document, to take over a machine.

The CISA has issued a directive to all agencies that are part of the Federal Civilian Executive Branch (FCEB), mandating those agencies to apply a fix for the newly reported vulnerability by August 2nd.

FCEB agencies are required to protect their systems against flaws that are added to the KEV Catalogue in accordance with a binding operational directive (BOD 22-01) that was released by CISA in the month of November. This limits the risk of known exploited bugs across US government networks.

CISA strongly encourages all organisations to reduce their exposure to cyberattacks by prioritising the timely remediation of KEV Catalogue vulnerabilities as part of their vulnerability management practise, despite BOD 22-01 only applying to FCEB agencies.

"These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise," the CISA noted.

CISA has added hundreds more security vulnerabilities to its list of flaws that have been exploited in attacks since BOD 22-01 was released, ordering federal agencies to patch their systems as quickly as possible to avoid breaches.

In its monthly round of Patch Tuesday updates released this week, Microsoft addressed a total of 84 security flaws.

The update included patches for four critical vulnerabilities classed as 'critical,' though none of them are thought to have been actively exploited.