CyberScotland Bulletin

Technical Bulletin – August 2021

The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.

Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.

Microsoft Patch Tuesday

Microsoft released its monthly security update Tuesday 10th August 2021, disclosing 44 vulnerabilities across its suite of products. 

This Patch Tuesday, the breakdown of vulnerabilities includes 7 “Critical” ratings with the remaining 37 labelled as “Important”. Also in this month’s Patch Tuesday, 3 zero-days were mentioned: 

  • CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vulnerability 
  • CVE-2021-36942 – Windows LSA Spoofing Vulnerability  
  • CVE-2021-36948 – Windows Update Medic Service Elevation of Privilege Vulnerability 

Microsoft has put out a warning about one of the vulnerabilities which hackers are particularly interested in exploiting. Krebsonsecurity.com goes on to explain that the vulnerability CVE-2021-36948, which is a weakness in the Windows Update Medic service, allows for an attacker to escalate their privileges which could potentially grant the attacker access to areas of the system which is not intended for them. 

As reported by zdnet.com, the products affected by these vulnerabilities are .NET Core & Visual Studio, ASP.NET Core & Visual Studio, Azure, Windows Update, Windows Print Spooler Components, Windows Media, Windows Defender, Remote Desktop Client, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Office, Microsoft Office Word, Microsoft Office SharePoint, and more technologies. 

A full list of Microsoft’s August 2021 Patches, their CVE’s severities, scores, exploits, and disclosures can be found here: SANS Internet Storm Centre. 

Cisco Patches Critical Security Vulnerabilities for VPN Routers

Cisco has issued patches to fix two vulnerabilities which allowed attackers to perform remote code execution (RCE) or trigger a denial-of-service condition on Cisco VPN routers. 

The two vulnerabilities are as follows: 

As stated by bleepingcomputer.com, the two vulnerabilities were found in the web-based management interfaces and exist due to improperly validated HTTP requests and insufficient user input validation, respectively. 

Unfortunately, both vulnerabilities affect several iterations of Cisco’s VPN routers. However, in a stroke of luck, Cisco have stated that the “remote management feature” which is the target of each vulnerability, is disabled by default. This should reduce the risk of your system being compromised, although, it is still encouraged you update with the latest patch. 

The VPN routers affected are as follows: RV340, RV340W, RV345, RV345P Dual WAN Gigabit VPN routers, RV160, RV160W, RV260, RV260P and RV260W VPN routers. 

Realtek Warns of Four Security Vulnerabilities Which Affect Almost a Million IoT Devices

Warnings have been issued surrounding the four vulnerabilities found in the software development kits (SDK’s) used in the WiFi modules found in several hundred IoT devices. 

The four vulnerabilities found in the SDK’s allows for attackers to compromise the vulnerable devices and execute arbitrary code with top level privileges. According to thehackernews.com, the vulnerabilities have remained untouched in Realtek’s codebase for more than a decade. The four vulnerabilities are as follows: 

  • CVE-2021-35392 – Heap buffer overflow vulnerability in ‘WiFi Simple Config’ server due to unsafe crafting of SSDP NOTIFY messages 
  • CVE-2021-35393 – Stack buffer overflow vulnerability in ‘WiFi Simple Config’ server due to unsafe parsing of the UPnP SUBSCRIBE/UNSUBSCRIBE Callback header 
  • CVE-2021-35394 – Multiple buffer overflow vulnerabilities and an arbitrary command injection vulnerability in ‘UDPServer’ MP tool 
  • CVE-2021-35395 – Multiple buffer overflow vulnerabilities in HTTP web server ‘boa’ due to unsafe copies of some over long parameters 

The affected SDK versions are as follows: rtl819x-SDK-v3.2.x Series, rtl829c-SDK-v3.4.x Series, rtl819x-SDK-v3.4T Series, rtl819x-SDK-v3.4T-CT Series, rtl819x-eCos-v1.5.x Series.

Diavol Ransomware linked to TrickBot Gang

A group of cyber security researchers have disclosed details about an early development of a new strain of ransomware, called Diavolt, which has been linked to the ransomware gang TrickBot. The findings from the researchers show that the ransomware contains similarities to other, older ransomware created by the group, aiding in the connection being made about the two. 

An earlier strain of Diavol, from March 5th, 2020, has revealed insights into the malware development process, with the source code capable of terminating arbitrary processes and prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. This is to ensure that the attack encrypts all the important and critical files within the system. 

When the ransomware executes, it harvests data about the system and then generates a unique identifier for that machine, however, Diavol differs to include the windows username within this identifier. It was also discovered that the ransomware prefers the Russian language content, which matches up with the operators. 

Another clue tying the malware to the Russian threat actors is the code for checking the language on the infected system to filter out victims in Russia or the Commonwealth of Independent States (CIS) region, a known tactic adopted by the TrickBot group. 

CiSP – The Cyber Security Information Sharing Partnership

The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK […]

Read more

Scottish Information Sharing Network (SciNET Group)

SciNet is a community for Scottish Buisnesses to engage on CiSP. The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and […]

Read more
Scottish Business Resilience Centre

Related content

Technical Bulletin – May 2021

The CyberScotland Technical Bulletin will provide you with information about the latest cyber threats, scams, news and updates.

This month’s topics include:

• Microsoft Patch Tuesday

• Adobe Patches

• AutoHotKey Malware Attacks

• Android Patching Zero-Day Exploits

Technical Bulletin September 2021

The CyberScotland Technical Bulletin will provide you with information about the latest cyber threats, scams, news and updates.

This month’s topics include:
• Microsoft Patch Tuesday
• REvil/Sodinokibi Ransomware Decryptor
• Google Patches Zero-Days
• Apple Patches Zero-Days

Technical Bulletin – July 2021

The CyberScotland Technical Bulletin will provide you with information about the latest cyber threats, scams, news and updates.

This month’s topics include:

• Microsoft Patch Tuesday
• NSO Group’s Pegasus Spyware
• Oracle Issues Patch for Critical Vulnerabilities
• Microsoft Advises On Vulnerability Affecting Windows 10 And The Upcoming Windows 11

Technical Bulletin – June 2021

The CyberScotland Technical Bulletin will provide you with information about the latest cyber threats, scams, news and updates.

This month’s topics include:

• Microsoft Patch Tuesday
• Apple Zero-Day Urgent Patches
• Google Chrome Urgent Update for Exploited Zero-Day
• Linux Users Urged To Update After Root Level Security Flaw Found

Back to top of the page