CyberScotland Bulletin

Microsoft released its monthly security update Tuesday 10th August 2021, disclosing 44 vulnerabilities across its suite of products. 

This Patch Tuesday, the breakdown of vulnerabilities includes 7 “Critical” ratings with the remaining 37 labelled as “Important”. Also in this month’s Patch Tuesday, 3 zero-days were mentioned: 

• CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vulnerability 
• CVE-2021-36942 – Windows LSA Spoofing Vulnerability  
• CVE-2021-36948 – Windows Update Medic Service Elevation of Privilege Vulnerability 

Microsoft has put out a warning about one of the vulnerabilities which hackers are particularly interested in exploiting. Krebsonsecurity.com goes on to explain that the vulnerability CVE-2021-36948, which is a weakness in the Windows Update Medic service, allows for an attacker to escalate their privileges which could potentially grant the attacker access to areas of the system which is not intended for them. 

As reported by zdnet.com, the products affected by these vulnerabilities are .NET Core & Visual Studio, ASP.NET Core & Visual Studio, Azure, Windows Update, Windows Print Spooler Components, Windows Media, Windows Defender, Remote Desktop Client, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Office, Microsoft Office Word, Microsoft Office SharePoint, and more technologies. 

A full list of Microsoft’s August 2021 Patches, their CVE’s severities, scores, exploits, and disclosures can be found here: SANS Internet Storm Centre. 

Cisco has issued patches to fix two vulnerabilities which allowed attackers to perform remote code execution (RCE) or trigger a denial-of-service condition on Cisco VPN routers. 

The two vulnerabilities are as follows: 

• CVE-2021-1602 
• CVE-2021-1609 

As stated by bleepingcomputer.com, the two vulnerabilities were found in the web-based management interfaces and exist due to improperly validated HTTP requests and insufficient user input validation, respectively. 

Unfortunately, both vulnerabilities affect several iterations of Cisco’s VPN routers. However, in a stroke of luck, Cisco have stated that the “remote management feature” which is the target of each vulnerability, is disabled by default. This should reduce the risk of your system being compromised, although, it is still encouraged you update with the latest patch. 

The VPN routers affected are as follows: RV340, RV340W, RV345, RV345P Dual WAN Gigabit VPN routers, RV160, RV160W, RV260, RV260P and RV260W VPN routers. 

Warnings have been issued surrounding the four vulnerabilities found in the software development kits (SDK’s) used in the WiFi modules found in several hundred IoT devices. 

The four vulnerabilities found in the SDK’s allows for attackers to compromise the vulnerable devices and execute arbitrary code with top level privileges. According to thehackernews.com, the vulnerabilities have remained untouched in Realtek’s codebase for more than a decade. The four vulnerabilities are as follows: 

• CVE-2021-35392 – Heap buffer overflow vulnerability in ‘WiFi Simple Config’ server due to unsafe crafting of SSDP NOTIFY messages 
• CVE-2021-35393 – Stack buffer overflow vulnerability in ‘WiFi Simple Config’ server due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header 
• CVE-2021-35394 – Multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability in ‘UDPServer’ MP tool 
• CVE-2021-35395 – Multiple buffer overflow vulnerabilities in HTTP web server ‘boa’ due to unsafe copies of some over long parameters 

The affected SDK versions are as follows: rtl819x-SDK-v3.2.x Series, rtl829c-SDK-v3.4.x Series, rtl819x-SDK-v3.4T Series, rtl819x-SDK-v3.4T-CT Series, rtl819x-eCos-v1.5.x Series.

A group of cyber security researchers have disclosed details about an early development of a new strain of ransomware, called Diavolt, which has been linked to the ransomware gang TrickBot. The findings from the researchers show that the ransomware contains similarities to other, older ransomware created by the group, aiding in the connection being made about the two. 

An earlier strain of Diavol, from March 5th, 2020, has revealed insights into the malware development process, with the source code capable of terminating arbitrary processes and prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. This is to ensure that the attack encrypts all the important and critical files within the system. 

When the ransomware executes, it harvests data about the system and then generates a unique identifier for that machine, however, Diavol differs to include the windows username within this identifier. It was also discovered that the ransomware prefers the Russian language content, which matches up with the operators. 

Another clue tying the malware to the Russian threat actors is the code for checking the language on the infected system to filter out victims in Russia or the Commonwealth of Independent States (CIS) region, a known tactic adopted by the TrickBot group.