Microsoft has released patches for 145 vulnerabilities for their April 2022 Patch Tuesday. The unusually high volume of patches includes ten critical vulnerabilities and several flaws that may allow for remote code execution, including wormable (self-propagating) threats. Of these, CVE-2022-26809, which allows remote code execution on Microsoft remote procedure call (MSRPC) systems, is especially concerning and is likely to be exploited.
CVE-2022-26809 has a CVSS score of 9.8, and its potential to be leveraged by a fast-acting internet worm is alarming security experts. Because of this, the zero-day has the potential to become an entry point for ransomware, similar to how the EternalBlue exploit was leveraged by WannaCry. It's also worth noting that past flaws in MSRPC have resulted in PetitPotam and ZeroLogon vulnerabilities, which are still being actively exploited by advanced threats to run malicious code and exfiltrate data.
Adding to the urgency to remediate the April Patch Tuesday vulnerabilities, it can be assumed that advanced threats, including nation-state-sponsored APTs, may have a headstart on exploitation. Thirty-six of this month's 145 bugs were initially reported to Microsoft by Cyber Kunlun, a Chinese security company; there is a possibility that APTs may be working on weaponizing PoC code. Some of the vulnerabilities released yesterday, such as CVE-2022-26904, already have an active PoC.
Patch Tuesday Remediation
Updating Vulnerable Devices
Organizations should update all Microsoft software to apply the latest patches. Because these vulnerabilities affect a large number of Microsoft Windows servers and workstation versions, updates are both critical and a complex undertaking for many organizations.
According to a recent ExtraHop-sponsored survey, 24% of organizations take up to a week to respond to critical vulnerabilities, and another 11% take up to a month or more to respond, leaving an ample window of opportunity for targeted attacks. To ensure that all vulnerable systems can be quickly patched, it is essential to have up-to-date, active inventory of all connected devices.
In addition, it's advised that Microsoft customers block inbound traffic on ports 445, 135, and 139 to prevent exploitation on RPC systems.
Monitor for Post-Compromise Activity
Even after all remediation steps are taken, including applying the latest patches, it is critical that all organizations continue to monitor their network for signs of compromise.
While it is recommended that organizations block inbound traffic on certain TCP ports on the firewall/perimeter, it is worth noting that this is not feasible on the inside of the perimeter, which is where this exploit is likely to be the most effective. This underscores the importance of behavior-based network monitoring to quickly detect and isolate any anomalous activity.