CyberScotland Bulletin

Technical Bulletin July 2022

The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.

Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.

Section Windows Privilege Escalation Zero-Day fixed in July’s Patch Tuesday

Windows Privilege Escalation Zero-Day fixed in July’s Patch Tuesday

On 12 July Microsoft released a patch for a privilege escalation zero-day vulnerability in its Client Server Runtime Sub-System (CSRSS).

This vulnerability, tracked as CVE-2022-22047, affects all versions of Microsoft Windows and was fixed in July’s Patch Tuesday security updates. Attackers have already been detected exploiting this vulnerability to gain SYSTEM privileges, effectively allowing them the same privileges and access as the Windows Operating System, higher even than an Administrator account. This vulnerability does however require the attacker to gain an initial foothold on the victim’s system before it can be exploited.

Section Follina Exploitation Continues in New Phishing Campaign

Follina Exploitation Continues in New Phishing Campaign

The Windows RCE vulnerability dubbed Follina continues to be exploited by threat actors as a malware installation vector.

Fixed in June’s Patch Tuesday, this vulnerability has recently been spotted being used to download next-stage payloads from the Discord Content Delivery Network (CDN). This vulnerability is first exploited from an HTML file downloaded from the same CDN space by a malicious Microsoft Office document.

Section Microsoft rolls back plans to disable Office Macros by Default

Microsoft rolls back plans to disable Office Macros by Default

Just 5 months after Microsoft announced plans to disable Office VBA (Visual Basic for Applications) macros by default, the tech-giant has temporarily rolled back the changes to allow for “additional changes to enhance usability”.

Office macros are a common attack vector for Windows systems which attackers often leverage to deliver malicious payloads. Disabling macros by default for Office files downloaded from the internet is thought to be an effective method for preventing many common attacks. Without macros disabled by default, an attacker can social-engineer a victim into clicking the “Enable Content” button when opening an Office document, which allows any embedded VBA macros to execute.

example of malicious MS Word macro-prompt
Example of malicious Microsoft work macro-prompt (NCSC)

Section Increase in exploitation of unpatched WordPress page builder flaw

Increase in exploitation of unpatched WordPress page builder flaw

Microsoft has released details of a phishing campaign targeting more than 10,000 organisations, using fake landing pages to bypass the Office 365 authentication process.

These fake landing pages, dubbed “Adversary-in-the-middle” (AiTM) attacks, stole both the user’s credentials and their session cookies, then exploited the victims accounts to launch further Business Email Compromise (BEC) attacks against other organisations. These attacks also bypass certain forms of Multi-Factor Authentication (MFA) by directly hijacking the user’s session. Microsoft recommends using “phish-resistant” MFA with certificate based authentication to defend against this style of attack.

Overview of AiTM attack
Overview of AiTM attack (Microsoft)

CiSP – The Cyber Security Information Sharing Partnership

The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK […]

Read more CiSP – The Cyber Security Information Sharing Partnership in modal dialog

Scottish Information Sharing Network (SciNET Group)

SciNet is a community for Scottish Buisnesses to engage on CiSP. The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and […]

Read more Scottish Information Sharing Network (SciNET Group) in modal dialog

Early Warning Service

The NCSC provides a free service to organisations to inform them of threats against their network. This service will notify you on all cyber attacks detected by the feed suppliers against your organisation and is designed to compliment your existing […]

Read more Early Warning Service in modal dialog
Scottish Business Resilience Centre
Back to top of the page