CyberScotland Bulletin

Technical Bulletin April 2024

Technical Bulletins

The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.

Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.

Microsoft Patch Tuesday

This month’s Microsoft Patch Tuesday fixed a total of 150 flaws including three critical flaws and two zero-day vulnerabilities. The number of fixes for the different vulnerability types is:

  • 31 Elevation of Privilege Vulnerabilities
  • 29 Security Feature bypass Vulnerabilities
  • 67 Remote Code Execution Vulnerabilities
  • 13 Information Disclosure Vulnerabilities
  • 7 Denial-of-Service Vulnerabilities
  • 3 Spoofing Vulnerabilities

Among these were two zero-day vulnerabilities which were:

  • CVE-2024-26234: a Proxy Driver Spoofing Vulnerability which was assigned to a malicious driver signed with valid Microsoft Hardware Publisher Certificate. This vulnerability was actively used to deploy a previously disclosed backdoor.
  • CVE-2024-29988: a SmartScreen Prompt Security Feature Bypass Vulnerability which allows attachment to bypass Microsoft Defender SmartScreen prompts when opened. This is using the CVE-2024-21412 vulnerability, discussed in the previous Technical Bulletin, as well as the CVE-2023-36025 Vulnerability.

With the high number of flaws fixed in this month’s Patch Tuesday, users are reminded of the importance of updating their software to the latest versions.

Multiple vulnerability patches for various browsers

This month was marked by multiple updates and fixes made by well-known browsers. Google Chrome and Firefox have pushed fixes for vulnerabilities found by researchers in the past month.

The vulnerabilities patched in Chrome were two high severity zero-day vulnerabilities:

  • CVE-2024-3159 is an out-of-bounds read access present in versions prior to 123.0.6312.105. It allowed an attacker to get access to data beyond memory buffer via heap corruption. This provides remote attackers with sensitive info or cause a crash.
  • CVE-2024-2887 is a Type Confusion Vulnerability present in versions 123.0.6312.86 which allowed remote attackers to execute arbitrary code through a crafted HTML request.

Firefox fixed two critical severity vulnerabilities that have now been fixed:

  • CVE-2024-29943 is an out-of-bounds access bypass that would allow an attacker to read or write on a JavaScript object by fooling range-based bounds check elimination.
  • CVE-2024-29944 is a Privileged JavaScript Execution through Event Handlers which allows attackers to inject event handlers into a privileged object that would allow arbitrary JavaScript execution. Note: this vulnerability solely affects desktop Firefox and not mobile versions.

These Firefox vulnerabilities have been fixed in version 124.0.1.

This reminds users that it is important to update not only the Operating System on their devices but also the various software present on these devices as they represent potential security flaws.

Vultur Banking Trojan has a new infection chain

A new version of the Vultur banking trojan has been found by researchers. A Trojan is a type of malware that acts like a legitimate software, usually to install and run malicious code on a device. Vultur has remote control capabilities such as:

  • Screen recording
  • File handling on the victim’s device
  • Perform clicks, scrolling and swiping gestures to have extra control on the device
  • Block certain apps from executing
  • Display custom notifications to mislead the victim

Vultur was previously delivered using trojanised mobile banking applications but has recently developed a new infection chain. It starts with the attacker sending an SMS to the victim which contains a mobile phone number. Calling the number puts the attacker in direct contact with the victim and after a conversation the attacker sends an SMS containing a link to a trojanised McAfee Security App. Once the user installs the malicious application, the malware dropper called Brunhilda, which is contained in the application, is installed. This will install the three payloads that will set up the trojan.

The first payloads obtains Accessibility Services before installing the second payload. This payload will install all the remote-control capabilities such as screen recording, etc. The third payload is then installed, which installs the communication capabilities between the attacker and the victim’s device. Once installed the trojan can now communicate with the attacker who then has complete control on the victim’s device.

The main recommendations to avoid falling victim to this type of attack:

  • Do not call phone numbers sent to you by text from an untrusted source
  • Do not install applications from untrusted sources
  • Do not give permissions to unknown and untrusted application
  • Update applications to the latest versions
Back to top of the page