Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / December Patch Tuesday

Overview

Microsoft has released updates for 49 security vulnerabilities in December’s patch cycle. Two zero-days are included, both publicly disclosed before a patch was available.

One of the zero-days (CVE-2022-44698) is a Mark of the Web (MotW) bypass based on incorrect code signature checking, the third MotW bug after the two patched last month. The other is an Elevation of Privilege (EoP) in DirectX (CVE-2022-44710) which could grant system-level privileges.

CVE-2022-44698 is a medium-severity MotW bypass, while CVE-2022-44710 is a high-severity EoP in DirectX.

Another issue, without a common vulnerability exposure (CVE) was also addressed this month. Researchers from Mandiant, Sophos and SentinelOne reported that signed kernel-mode hardware drivers were being used for post-exploitation activity, leading to ransomware. Microsoft found that accounts had been submitting malicious drivers to Microsoft’s Hardware Developer Program. The accounts have since been banned and the certificates revoked.

Impact

A maliciously crafted file could bypass the MotW protections and run without being checked by Windows SmartScreen.

A malicious actor with administration-level privileges on a Windows machine could elevate to system-level privileges.

Affected Products

– .NET Framework
– Azure
– Client Server Run-time Subsystem (CSRSS)
– Microsoft Bluetooth Driver
– Microsoft Dynamics
– Microsoft Edge (Chromium-based)
– Microsoft Graphics Component
– Microsoft Office
– Microsoft Office OneNote
– Microsoft Office Outlook
– Microsoft Office SharePoint
– Microsoft Office Visio
– Microsoft Windows Codecs Library
– Role: Windows Hyper-V
– SysInternals
– Windows Certificates
– Windows Contacts
– Windows DirectX
– Windows Error Reporting
– Windows Fax Compose Form
– Windows HTTP Print Provider
– Windows Kernel
– Windows PowerShell
– Windows Print Spooler Components
– Windows Projected File System
– Windows Secure Socket Tunneling Protocol (SSTP)
– Windows SmartScreen
– Windows Subsystem for Linux
– Windows Terminal

Containment, Mitigations & Remediations

Microsoft has released updates revoking the malicious actor’s certificate and suspended the account. They’ve also implemented blocking detections to help protect against drivers known to be used for malicious purposes.

For Windows admins, Microsoft has also published advice on implementing your own driver-limiting rules on Windows 10 & 11.

Indicators of Compromise

Sophos has published hashes of the malicious files on GitHub and Mandiant has also published samples of hashes they found.

Threat Landscape

Multiple groups have recently been seen using valid, signed drivers with known weaknesses to run kernel code, bypassing Microsoft’s driver signature enforcement policy (DSE). Even after the software has been patched, malicious actors are able to upload older, vulnerable versions to enable their attacks. Attackers may use Windows Services to install the driver [T1543.003] as part of privilege escalation [T1068], to disable EDR [T1562.001] EDRSandblast , CheekyBlinder or install kernel-level rootkits [T1014]. This is easier than acquiring stolen certificates [T1587.002].

Mitre Methodologies

T1068 – Exploitation for Privilege Escalation
T1543.003– Create or Modify System Process: Windows Service
T1553.005– Subvert Trust Controls: Mark-of-the-Web Bypass
T1562.001 – Impair Defenses: Disable or Modify Tools
T1587.002 – Develop Capabilities: Code Signing Certificates

Further Information

December 2022 Security Updates

Guidance on Microsoft Signed Drivers Being Used Maliciously

I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware

Signed driver malware moves up the software trust chain

Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers

Glossary

– BYOVD – Bring Your Own Vulnerable Driver (a technique for getting access to the OS kernel)
– CVE – Common Vulnerabilities and Exposures (a scheme to categorise and index vulnerabilities)
– DoS – Denial of Service (an attack that prevents a service from operating)
– IoC – Indicator of Compromise (an artifact that can be used to identify malicious activity such as an IP or domain used by an attacker)
– LPE – Local Privilege Escalation (allows a user to gain more permissions on a device)
– MotW – Mark of the Web (a safety feature to discourage users from running things they’ve just downloaded)
– RCE – Remote Code Execution (a hacking tool that allows the attacker to run code on another machine)

Intelligence Terminology Yardstick