CyberScotland Bulletin

Technical Bulletin – May 2021

The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures. 

Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.

Section Microsoft Patch Tuesday

Microsoft Patch Tuesday

Microsoft released its monthly security update Tuesday 11th May 2021, disclosing 55 vulnerabilities across its suite of products.

A new update for Windows 10 known as “Version 21H1” was released on the 18th of May 2021. This update comes from Microsoft’s Semi-Annual update program which aims to release a new stable build every 6 months. Following this, as reported by, two previous Windows 10 updates have now reached end of life for security updates. These updates are “Version 1803”, “Version 1809” and “Version 1909”.

In all, there are 4 critical vulnerabilities as part of this release, and one considered of “moderate” severity. The remainder are all “important.”

As reported by, the most notable critical vulnerability from this month’s Patch Tuesday is CVE-2021-31166 which allows for remote code execution to occur. This vulnerability can be found in HTTP.sys and is achieved by sending a purpose-built HTTP request to the infected Windows machine. Unfortunately, this vulnerability is found across several versions of Windows so is rated as critical.

This month’s security update provides patches for several other pieces of software, including Microsoft Office SharePoint, Microsoft Excel and Visual Studio.

SNORT rules are available for CVE-2021-26419, CVE-2021-31166, CVE-2021-31170, CVE-2021-31181, CVE-2021-31188. The GID’s for which can be found here.

A full list of Microsoft’s May 2021 Patches, their CVE’s Severities, scores, exploits, and disclosures can be found here: SANS Internet Storm Centre.

Section Adobe Patches

Adobe Patches

As reported by, Adobe has issued 12 patches addressing 44 CVE’s in:

  • Experience Manager
  • InDesign, Illustrator
  • InCopy
  • Adobe Genuine Service
  • Acrobat and Reader
  • Magento
  • Creative Cloud Desktop
  • Media Encoder
  • After Effects
  • Medium
  • Animate.

In the same report, it’s noted that updating Acrobat and Reader should be your highest priority as one of its 14 reported CVE’s is currently being used in the wild. This vulnerability and the other vulnerabilities reported could lead to code execution if a modified PDF were to be opened by an unsuspecting user. The other notable update is for InDesign. The vulnerabilities reported for this product can result in an attacker executing code under the guise of the current process, due to the lack of proper validation of inputted data.

Section Experts Warn About Ongoing AutoHotkey-Based Malware Attacks

Experts Warn About Ongoing AutoHotkey-Based Malware Attacks

It has been discovered that the scripting language known as AutoHotkey(AHK) has been used by malicious actors to spread remote access trojans (RAT). For context, the AHK scripting language is a free package that allows for users to automate repetitive and mundane tasks on Microsoft Windows. reports that at least four different versions of the campaign have been spotted as early as February 2021. One version of the campaign involved the RAT being encapsulated in an AHK executable that was downloaded to the machine by the user. This version also disables Microsoft Defender through the use of a batch script. The second version discovered, aims to block connections to widely used antivirus products by manipulating the host file to resolve the localhost IP address instead of the desired address. The third RAT was delivered to the system by an obfuscated VBScript. This script then executes itself as a PowerShell command which receives the final C# payload through a service known as “”. The fourth and last version discovered uses an AutoHotKey script to run a legitimate application, before executing a VBScript that runs an in-memory PowerShell script to download and install the RAT.

Section Android Issues Patches for 4 New Zero-Day Bugs Exploited in the Wild

Android Issues Patches for 4 New Zero-Day Bugs Exploited in the Wild

Google has updated their May 2021 Android Security Bulletin to announce that four of their previously patched CVE’s have been used in the wild. As reported by, the exploits used were targeted and impacted a limited number of users. This information comes from the Android Security Bulletin May – 2021.

The list of CVE’s are:

  • CVE-2021-1905
  • CVE-2021-1906
  • CVE-2021-28663
  • CVE-2021-28664

The CVE’s mentioned appear to impact GPU driver components from Qualcomm and Arm Mali GPU’s. It was noted if CVE-2021-28663 and CVE-2021-28664 are exploited correctly then there is the potential that an attacker could gain root level privilege, and/or disclose personal information on the device. reports that it’s not clear how the attacks were carried out, the victims who were targeted, or the threat actors that may be exploiting the CVE’s. It is recommended that Android users update their devices as soon as possible.

CiSP – The Cyber Security Information Sharing Partnership

The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK […]

Read more CiSP – The Cyber Security Information Sharing Partnership in modal dialog

Scottish Information Sharing Network (SciNET Group)

SciNet is a community for Scottish Buisnesses to engage on CiSP. The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and […]

Read more Scottish Information Sharing Network (SciNET Group) in modal dialog

Early Warning Service

The NCSC provides a free service to organisations to inform them of threats against their network. This service will notify you on all cyber attacks detected by the feed suppliers against your organisation and is designed to compliment your existing […]

Read more Early Warning Service in modal dialog
Cyber and Fraud Centre – Scotland
Back to top of the page