You need to know about a new Microsoft vulnerability. I just got the notification from MS-ISAC. I'm going to paste an abbreviated version of it for you here. At the end I'll link you to where you can sign up for these advisory notifications in order to stay on top of the latest Device Management Vulnerabilities.
This is from the MS-ISAC Advisory:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Michelle's note: this is why you want your device users to have standard user privileges rather than administrative privileges. You trust your staff to do the right thing with your company assets, but you can't trust an attacker.
Two zero-day vulnerabilities, CVE-2022-41043 (Microsoft Office Information Disclosure Vulnerability) which has been reported by Microsoft as currently being exploited in the wild and CVE-2022-41033 (Windows COM+ Event System Service Elevation of Privilege Vulnerability) which has not been reported by Microsoft as currently being exploited in the wild, have both been fixed in the latest patch.
Michelle's note: since CVE-2022-41043 is being exploited in the wild it is the higher priority to solve of the two.
Meanwhile, Microsoft has not released security updates for two actively exploited zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, also known as ProxyNotShell. There are multiple reports detailing the active exploitation of these vulnerabilities, which includes security researchers tracking active campaigns leveraging remote code execution vulnerabilities. GTSC, the Vietnamese cybersecurity company that discovered the two vulnerabilities, reported the vulnerabilities were exploited in early August 2022. According to the GTSC report, cyber threat actors (CTAs) are chaining the vulnerabilities to create backdoors for persistence or to move laterally in the victim network. For example, CTAs exploiting these vulnerabilities deployed the China Chopper webshell for persistent remote access. Some security researchers are referring to the exploit chain as “ProxyNotShell.”
Michelle's note: Patching is the number one practice you can follow to reduce your attack surface. But in the vulnerabilities referenced in the above paragraph there's not and available patch at this time. The attackers have figured out once they find a vulnerable system that they can then use it to navigate into other resources available to that device, walking a path until they get to a valuable asset. Please use the principle of least privilege and consider implementing internal firewalls if you have assets on an internal network. Implementing the practices of Zero Trust are key.
A BleepingComputer report noted that a scammer set up a GitHub repository and is “impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits” for Exchange CVE-2022-41040 and CVE-2022-41082 vulnerabilities.
Michelle's note: Please use caution when testing remediation code that comes from a source unfamiliar to you. Bringing unvalidated code in to your environment is a poor supply chain practice. It doesn't mean avoid using crowd sourced code, but it does mean you need to perform some validation on that code before distributing it to your organizational (or personal) devices.
If you'd like to stay on top of the latest security vulnerability reports, I invite you to subscribe to the MS-ISAC Advisories and Monthly Newsletter. MS-ISAC is a program run by the Center for Internet Security (CIS). It's free, they won't spam you, and they won't share your information.
Reference the vendors documentation of a vulnerability to deploy a manual remediation. Reference endpoint security vendor's recommendations on remediation if they are not already addressing the threat directly. It can vary quite a bit depending on the vulnerability, the complexity to patch it, etc.
If it is a web threat, block the sites involved globally.