CyberScotland Bulletin

Technical Bulletin August 2023

Technical Bulletins

The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.

Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.

Microsoft Patch Tuesday

In Microsoft’s Patch Tuesday for August 2023, they addressed a total of 87 security vulnerabilities. Notably, two zero-day vulnerabilities were being actively exploited and twenty-three were associated with remote code execution (RCE). Out of these RCE vulnerabilities, only six were classified by Microsoft as ‘Critical’ in terms of severity.

The CVE-2023-36884 vulnerability pertains to a remote code execution flaw. This flaw enables adversaries to generate specialized Microsoft Office documents, which can effectively bypass the Mark of the Web (MoTW) security feature. As a result, impacted files can be opened without triggering a security alert, thereby facilitating remote code execution. This vulnerability was actively exploited by the RomCom hacking group. Previously associated with the “Industrial Spy” ransomware campaigns, this group has since rebranded to “Underground”, maintaining its extortion-focused operations.

Another noteworthy vulnerability is CVE-2023-38180, which impacts .NET applications and the Visual Studio environment, making them susceptible to a Denial of Service (DoS) attack. Microsoft has resolved this vulnerability, though the details about its exploitation and the party responsible for its discovery have not been disclosed.

Microsoft users are encouraged to swiftly install the most recent security patches. For a deeper understanding and further details on these updates, users can refer to Microsoft’s official security update guide here.

Security Vulnerabilities Identified in Ninja Forms WordPress Plugin

In a recent disclosure, several security vulnerabilities were identified in the Ninja Forms plugin, specifically designed for WordPress. These vulnerabilities could potentially be harnessed by malicious actors to elevate their privileges and gain unauthorized access to sensitive data. Here’s a breakdown of these flaws affecting versions 3.6.25 and earlier:

  • CVE-2023-37979 (CVSS score: 7.1): This vulnerability pertains to a POST-based reflected cross-site scripting (XSS) issue. It can enable an unauthenticated individual to escalate privileges on a targeted WordPress platform. This can be achieved by luring privileged users to visit a maliciously designed website.
  • CVE-2023-38386 & CVE-2023-38393: These vulnerabilities stem from improper access control mechanisms within the form submissions export functionality. As a result, malicious users with either ‘Subscriber’ or ‘Contributor’ roles can potentially export all Ninja Forms submissions available on a WordPress site.

Website administrators and users are encouraged to stay informed and update their plugins to mitigate the potential risks associated with these vulnerabilities.

OCR-Driven Android Malware “Cherry Blos” Discovered

A newly identified strain of Android malware, CherryBlos, is utilising optical character recognition (OCR) capabilities. This malware’s primary objective is to extract sensitive data from images, specifically focusing on cryptocurrency wallet details. Distributed primarily through deceptive posts on social media platforms.

Upon installation, CherryBlos actively solicits users for accessibility permissions. When these permissions are granted, it takes the liberty to autonomously grant itself even more, further embedding its presence on the compromised device. In a notable defence evasion tactic, users who attempt to remove or shut down the app by navigating to the Settings app are cleverly redirected to the main screen, effectively trapping the malware on the device.

However, what makes CherryBlos particularly nefarious is its two-pronged approach to cryptocurrency theft. First, it overlays deceptive screens atop genuine cryptocurrency wallet applications, enabling unauthorised fund transfers to attacker-controlled addresses. Second, and more uniquely, it deploys OCR capabilities. This allows CherryBlos to scan and recognise mnemonic recovery phrases from images stored on the device—targeting the common habit of users screenshotting their recovery phrases. Once identified, these phrases are periodically transmitted to an external server.

The increasing sophistication of such malware strains has not gone unnoticed by industry giants. Google, for instance, is aware of the risks posed by malicious developers and their propensity to exploit the Play Store. As a proactive measure, they’ve taken steps to reduce the misuse of accessibility APIs by rogue Android applications. The tech behemoth now prevents sideloaded apps from harnessing accessibility features in any capacity.

For users, this episode underlines the importance of vigilance. Downloading apps, especially from unverified sources, necessitates extreme caution. Always verifying developer credentials and perusing app reviews can be the first line of defence against such security risks.

Salesforce Zero-Day Used in Phishing Attacks

In a recent incident, experts discovered an undisclosed vulnerability in Salesforce’s email and SMTP services, which malicious actors exploited in a detailed phishing operation aimed at Facebook users.

Security specialists observed these threat actors using the genuine Salesforce infrastructure to dispatch phishing emails bearing the suffix. Upon delving deeper, it was found that these individuals managed to exploit a lapse in Salesforce’s email validation mechanism. This allowed them to present themselves under the trusted banner of the domain, misleading both users and email security systems.

Interestingly, these emails were represented as being from “Meta Platforms” and integrated authentic links to Facebook, further amplifying their authenticity.

Upon interaction, a button steered recipients to a valid Facebook domain, However, once there, the content was manipulated to convey alleged breaches of Facebook’s terms of service. Subsequent prompts then ushered users to a deceitful site designed to harvest personal data, such as full names, usernames, email addresses, phone numbers, and passwords.

The persistence and evolution of phishing techniques highlight the ongoing threat they pose. It remains essential for all users to exercise caution, especially when emails suggest unanticipated actions.

CiSP – The Cyber Security Information Sharing Partnership

The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK […]

Read more CiSP – The Cyber Security Information Sharing Partnership in modal dialog

Scottish Information Sharing Network (SciNET Group)

SciNet is a community for Scottish Buisnesses to engage on CiSP. The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and […]

Read more Scottish Information Sharing Network (SciNET Group) in modal dialog
Back to top of the page