CyberScotland Bulletin

Technical Bulletin May 2024

Technical Bulletins

The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.

Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.

Microsoft Patch Tuesday

This month’s release of Microsoft Patch Tuesday saw a total of 61 vulnerabilities, with most of the vulnerabilities in the Elevation of Privilege Vulnerabilities and the Remote Code Execution Vulnerabilities. The distribution of all the vulnerabilities is:

  • 17 Elevation of Privilege
  • 2 Security Bypass
  • 27 Remote code Execution
  • 7 Information Disclosure
  • 3 Denial-of-Service
  • 4 Spoofing

This release also included 2 zero-day vulnerabilities:

  • CVE-2024-30040: Windows MSHTML Platform Security Feature Bypass: This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office. This could allow an unauthenticated attacker to execute malicious code by convincing the user to open a malicious document. The attacker could execute arbitrary code with user permissions.
  • CVE-2024-30051: Windows DWM Core Library Elevation of Privilege: This vulnerability could allow an attacker to gain SYSTEM Privileges if exploited successfully.

Dev Popper Attack

A new social engineering attack has been targeting developers. It abuses the trust of applicants in the job application process, with attackers posing as employers offering a job as a software developer. During the interview they ask the candidates to download and run a “standard coding task” from a GitHub repository.

This file downloaded is a ZIP archive that contains an NPM package that will download an obfuscated Python script. From there the python RAT (Remote Access Trojan) will start collecting and sending system information to the command-and-control server.

Some of the functionalities of the RAT, as reported by Securonix, include:

  • Persistent connection to the infected device for the attacker to maintain ongoing control.
  • File system commands to search for, meaning the RAT can be used to search for specific files or types of files on the infected device.
  • Remote command execution capabilities for exploiting vulnerabilities and malware deployment.
  • Direct FTP data exfiltration from high-interest folders such as Documents and Downloads
  • Clipboard and keystroke logging to monitor user activity and possibly capture credentials

This type of attack reminds us that even the knowledgeable and technical individuals are potential targets and victims to cyber attacks

Cuttlefish malware infects routers to monitor traffic for credentials

A new malware called Cuttlefish has started infecting enterprise-grade and small office/home office routers to monitor data and authentication information passing through them.

Although the method of infection is unknown, it is possible that it exploits known vulnerabilities by brute-forcing credentials. After infection the primary payload (“.timezone”) is loaded into the memory to avoid detection.

Once executed the malware uses a packet filter to monitor traffic coming from each of the connections on the router. If it detects specific data it will perform a particular action depending on the rules that were set by the attacker from the command-and-control server.

This allows the attacker to bypass the security measures set on the network like endpoint monitoring or network segmentation. Some protective measure that organisations can take to defend themselves from the threat are:

  • Eliminate the presence of weak and default credentials on the network
  • Monitor unusual logins from residential IPs
  • Secure traffic with TLS/SSL

It is also recommended to reboot devices and apply the latest firmware updates.

Back to top of the page