The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Microsoft Patch Tuesday
As usual, Microsoft released their patches on the second Tuesday of the month. This month’s release fixed multiple issues, a total of 60 flaws were fixed. These included 24 Privilege Elevation Vulnerabilities and 18 Remote Code Execution Vulnerabilities. Fortunately, no zero-day vulnerabilities were disclosed.
A couple of interesting vulnerabilities that were patched are:
- CVE-2024-26199: This vulnerability is a Microsoft Office Elevation of Privilege Vulnerability. It allowed any authenticated user to gain SYSTEM privileges, granting them the ability to run commands and install software that would require these privileges without needing to log in.
- CVE-2024-20671: This vulnerability is the Microsoft Defender Security Bypass. If successfully exploited, this vulnerability could allow an authenticated attacker to prevent Microsoft Defender from starting. It has been fixed in version 4.18.24010.12 of the Antimalware Platform, which is automatically installed on Windows devices.
Fortinet Warns of Critical Vulnerabilities
During mid-March Fortinet announced a patch for a critical vulnerability in its FortiClient Enterprise Management System (EMS). This service is used by administrators to manage endpoints on an enterprise network. The vulnerability was reported by the NCSC and Fortinet developer Thiago Santana.
This vulnerability’s CVE code is CVE-2023-48788. It is caused by the presence of an SQL injection in the DB2 Administration Server which was developed by IBM. This vulnerability affects multiple versions of EMS, these are 7.0.1 through to 7.0.10, and in versions 7.2.0 through to 7.2.2. It could allow an unauthenticated attacker to execute code or commands through specially crafted requests.
During that period, Fortinet also patched a CSV injection vulnerability known as CVE-2023-47534, which allowed attackers to execute commands and code on the vulnerable systems. This affects FortiClientEMS versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.10, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8.
Fortinet flaws are regularly exploited by malicious actors to breach corporate networks in ransomware attacks and cyber-espionage. If you are using any of their services, it is recommended to update to the latest versions.
SmartScreen Bypass vulnerability used to install DarkGate malware on victim devices
In the previous technical bulletin, Microsoft Patch Tuesday provided a fix for the vulnerability known as CVE-2024-21412, which allows attackers to bypass the Microsoft SmartScreen that pops up when the user attempts to install software or execute actions with administrator privileges.
The bypass is done through a Windows Internet shortcut (.url file) which points to another internet shortcut file on a remote server or SMB share. This internet shortcut file also points to the executable file. This file gets executed automatically and bypasses the SmartScreen. As previously mentioned, this vulnerability was patched last month.
This exploit is known for being used by the hacking group Water Hydra to drop the DarkMe malware onto target systems. More recently it is also being used by multiple hacking groups as a means to deliver the DarkGate malware. DarkGate is a malware family that has keylogging and information stealing capacities, it can also allow the attacker to give real time remote access to the device.
The delivery method uses a phishing technique in which the victim is sent a PDF file containing malicious links that redirect to a compromised webserver hosting another redirect to a server controlled by the hackers. This last server stores an MSI file which will install the malware onto the target device.
The recommendation for this is to install the latest patches of Windows.