Microsoft Identifies Critical Remote Code Vulnerability
On April 12, 2022, Microsoft® notified users of a remote code execution vulnerability (CVE-2022-26809). According to Krebs Online Security, the vulnerability is a “wormable weakness” in a core Windows remote procedure call (RPC) that could be abused by malware or attackers to bypass users and access privileges to seize complete remote control over affected systems.
Microsoft rates the vulnerability a 9.8/10 on the Common Vulnerability Scoring System (CVSS) (meaning the severity is “critical”), and iterates that exploitability is “more likely” though no exploits have yet been detected.
Microsoft issued a patch for this and other vulnerabilities; it is recommended to push the patches through to all devices and make them mandatory.
- Block TCP port 445 at the enterprise perimeter firewall.
Blocking this port helps protect systems behind this firewall from potential exploitation attempts originating from outside the organization’s perimeter. Microsoft notes that this is the most effective defense against internet-based attacks, but that organizations can still be vulnerable to attacks from within the enterprise perimeter. However, blocking port 445 on the internal network could cause disruptions to other Microsoft services.
- Follow Microsoft’s guidelines to secure Server Message Block (SMB) traffic.
These guidelines use segmentation and isolation practices to secure SMB traffic and reduce threats between network devices. In addition to blocking inbound traffic on TCP port 445, organizations should block outbound access so that network devices cannot send data to the internet using SMB.
Microsoft also advises inventorying a networks SMB traffic to decipher necessary vs. unnecessary traffic on service and client endpoints, as well as configuring Windows Defender Firewall so it blocks inbound and outbound traffic that includes exceptions. For additional firewall rules, click here.
Additional ACA Guidance
In addition to the above guidance, ACA recommends the following:
The threat landscape is always evolving. To stay abreast of the latest vulnerabilities and threats, monitor alerts and advisories from providers such as Microsoft, and other reputable sources such as CISA.
Moreover, you can sign up for ACA’s alert subscriptions.
Routine patching helps protect devices from vulnerability exploitation. Where possible, turn on automatic updates and make patching updates mandatory across the organization.
If an end user receives an update notification, do not delay; update and restart immediately. A device is not sufficiently protected until updates are complete.
In addition, CISA provides a collection of free tools to reduce the likelihood of damaging cyber events, encourage quick intrusion detection and mitigation, and maximize operational resilience.
Data Backups and Testing
Routinely back up data (at least monthly) and keep multiple copies in different locations in case data becomes inaccessible, lost, deleted, corrupted, or stolen. This can protect an organization’s data from not only vulnerability exploitation and other hacking attacks, but physical disasters.
Consider encrypting backup data to protect against unauthorized access.
Test backups to determine their integrity and ensure they are not corrupt and run as intended. Functional backups reduce downtime caused by disruptions.
How we help
ACA Aponix® provides vulnerability management solutions, as well as risk assessments to identify and remediate gaps in current cyber programs:
Penetration Testing and Vulnerability Assessments to help an organization reduce the risk of the significant financial, operational, and reputational losses as well as detect exploitable vulnerabilities in a network.
Risk assessments to identify gaps in cybersecurity and regulatory postures and implement industry best practices.