The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Microsoft Patch Tuesday
In February 2024 Patch Tuesday release, Microsoft has addressed a total of 73 security issues, including two zero-day vulnerabilities that have been identified as currently being exploited. Among these updates, five have been classified as critical, covering a range of vulnerabilities such as denial of service, remote code execution, information disclosure, and elevation of privileges.
This month’s updates notably rectify two zero-day vulnerabilities that had either been publicly disclosed or actively exploited prior to an official patch being released. The vulnerabilities targeted in today’s patch include:
CVE-2024-21351: A vulnerability in the Windows SmartScreen function, which was being exploited to circumvent SmartScreen’s security measures.
CVE-2024-21412: A vulnerability in the handling of Internet Shortcut Files that allowed attackers to sidestep the Mark of the Web (MoTW) security warnings. Microsoft has successfully issued fixes for these vulnerabilities, enhancing the security of its Windows operating system. As a precautionary measure, it is always advisable for users to update their systems to the latest version to protect against these and other security threats
Any Desk Hacked
Recently, the developers behind the remote desktop application AnyDesk announced they had experienced a cybersecurity breach that resulted in the infiltration of their production systems.
In response to this incident and to prioritise security, AnyDesk has taken the precautionary step of resetting all passwords associated with their web portal, my.anydesk[.]com.
They are strongly advising users to update their passwords, especially if the same credentials are utilised across different online platforms. Additionally, AnyDesk recommends that users install the most recent version of the application, which includes an updated code signing certificate, to ensure enhanced security measures are in place.
Outlook Vulnerability which could leak NTLM passwords
A vulnerability in Microsoft Outlook was discovered to allow a threat actor to obtain NT LAN Manager (NTLM) version 2 hashed passwords by opening an email attachment that has been modified. The NTLM hashing mechanism is utilised to store user passwords on Windows platforms in a cryptographic manner.
In scenarios involving email-based attacks, malefactors could leverage this weakness by dispatching an email with a malicious attachment to a target, persuading them to open it. Conversely, in web-based attack scenarios, an attacker could either set up or make use of an already compromised website that permits or contains user-generated content to host the file intended to exploit this vulnerability. Essentially, the attacker would need to entice users to click on a link, which could be embedded in a phishing email or sent through an instant messaging service, and then trick them into opening the compromised file.
The vulnerability, tracked as CVE-2023-35636, originates from a flaw within Outlook’s calendar-sharing functionality. An email can be crafted by including two specific headers, “Content-Class” and “x-sharing-config-url”, with manipulated values aiming to reveal the victim’s NTLM hash during the authentication process. Typically, NTLM v2 is employed for authentications within internal, IP-address based services. Nonetheless, when NTLM v2 hashes are transmitted over the public internet, they become susceptible to relay and offline brute-force attacks.
It’s strongly advised for users to ensure their systems are updated to the most current software release to mitigate such vulnerabilities.