Microsoft addressed 84 distinct Windows and Azure vulnerabilities in its recent “Patch Tuesday” update; one of these, CVE-2022-22047, is a zero-day attack currently being exploited in the wild. Due to the fact that the vulnerability was discovered by Microsoft’s internal research teams, the Microsoft Threat Intelligence Center and the Microsoft Security Response Center, no Proof of Concept (POC) has been released at this time. Microsoft has not released any further information on the attacks, which leaves details such as frequency, attribution, and geographical location currently unknown. The bug is reported as an elevation of privilege vulnerability in the Windows Client Server Runtime Subsystem (CSRSS), which allows a threat actor that has already successfully accessed an account and achieved Remote Code Execution (RCE) to elevate the account to SYSTEM.
CSRSS is embedded into graphical console and GUI subsystems of the Windows operating system, although running a console itself is now covered by conhost.exe. As a result, any attempt to limit CSRSS would result in a critical failure of the operating system, so organizations are recommended to implement the recommended patch from Tuesday as quickly as feasible. All patches are recommended to be tested on selected machines ahead of deployment as per standard enterprise practices. Zero-day attacks are an inevitable result of the increased pace of threat group research, as well as the complexity of modern computing systems. The Threat Hunting and Managed Detection and Response (MDR) services offered by Binary Defense represent an effective way to incorporate a post-exploitation focus into a defense-in-depth strategy.