Technical Tip: How to use FortiDeceptor to Detect & Mitigate the Microsoft Driver RCE vulnerability - CVE-2022-26809.

This article describes how FortiDeceptor decoys can detect activities related to The Microsoft Driver RCE vulnerability - CVE-2022-26809 remote code execution vulnerability.

A critical remote code execution vulnerability in Remote Procedure Call Runtime Library. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. 

Cyber Deception Against cyber attacks that try to leverage CVE-2022-26809

1) FortiDeceptor starts by deploying network decoys across the network segments that create a fake environment that simulates the real network and assets. The 'CVE-2022-26809' exploit looks to attack Windows systems, so Network decoys like windows 7, 10, 2016, and 2019 (endpoints & servers) will be deployed across the network.

2) In addition, the FortiDeceptor customization module allows to generate a  decoy template from the customer gold image and deploy it across the network and in the customer data center. The ability to deploy a Decoy that runs the customer gold image and part of the customer domain network will expand the attack surface for any malware or threat actor trying to leverage the 'CVE-2022-26809' vulnerability. In addition, this decoy will generate accurate threat intelligence and IOC's against the attack.

3) FortiDeceptor generates and deploys Deception Lures like fake network drive and fake user & pass across every endpoint/server in the network based on the network decoys deployment.

4) To exploit this vulnerability, an attacker would need to access the internal network by compromising an internal endpoint and leveraging the compromised endpoint access and credentials. The idea behind using Deception lures is to expand the attack surface and reduce the Dwell time.

5) Deception lures will detect the malware early in the kill chain and before trying to attack the windows system that is vulnerable to 'CVE-2022-26809' vulnerability by placing the following Deception Lures on the network endpoint that the threat actor will use to attack the windows systems (endpoints & servers). The Deception lure to deploy are: 

• SMB Deception Lure will generate a fake network drive with fake files. This network drive will deceive the threat actor while using windows commands like 'NET.' This malicious engagement will trigger alerts and also mitigation responses to isolate the malicious endpoint from the network.
• Cache Credentials Deception Lure will deploy fake user & passwords to the endpoint & Server. This fake user & password will deceive the threat actor while using tools like mimikatz and use the fake credentials to move laterally and engage with a network Decoy. This malicious engagement will trigger alerts and also mitigation responses to isolate the malicious endpoint from the network.

RDP Deception Lure will deploy fake windows RDP Credentials in the windows Credentials manager. This fake user & password will deceive the threat actor while using MIMIKATZ and RDP clients to move laterally and engage with a network Decoy that runs the Windows Print Spooler service. This malicious engagement will trigger alerts and also mitigation responses to isolate the malicious endpoint from the network.

The Deception Decoys & lures against the Microsoft 'CVE-2022-26809' attacks can be used in FortiDeceptor V.3.3 and above.

Cyber Deception Against Microsoft 'CVE-2022-26809' attacks:

1) Configure network segments under the "Deployment Network" section that FortiDeceptor will use to deploy network decoys. (due to the nature of the attack, verify that the data center segments where windows DC servers located are covered.)

2) Use the 'Customization' feature to deploy windows2016/2019 Decoy that runs Windows Print Spooler service. (see this video for technical instruction on how to use the customization module - > https://video.fortinet.com/products/fortideceptor/3.0/fortideceptor-windows-customization )

3) Deploy network Decoys (template & custom) across the network VLANs segments that are configured under the 'Deployment Network' section.

4) Download the Deception lure package from the Decoy configuration section.

5) Deploy the Deception lure package across the endpoint using the A/D Logon script. Keep in mind that the Deception lure package is an 'Agent-Less' technology. (see FortiDeceptor Admin guide - > https://docs.fortinet.com/document/fortideceptor/3.3.1/administration-guide/821523/deploying-tokens-...)

6) To verify the Deception lure package deployment, run the command 'net use' on any endpoint that is part of the domain. User should see the network drive map configuration in place or access the windows credentials manager to verify that the fake credentials exist.

7) Once a threat actor or malware penetrated the network and infected the endpoint, any interaction with Deception Decoy & lure will trigger a real-time alert.

8) FortiDeceptor will leverage the Fortinet Fabric to execute a threat mitigation response to isolated the threat.

FortiDeceptor is Part of the Fortinet Security Fabric.

FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiEDR, FortiSIEM, FortiAnalyzer, and other Fabric solutions to automate the mitigation response based on attack detection.

For example, the video below shows FortiDeceptor leveraging FortiNAC to automatically isolated an infected machine device that has been targeted by ransomware malware.

https://www.youtube.com/watch?v=SfiEL7-F5Mo&t=154s

Another example, FDC  leveraging FortiGate to automatically isolated an infected machine device that has been compromised by a threat actor or malware