CyberScotland Bulletin

Technical Bulletin November 2021

The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.

Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.

Section Microsoft Patch Tuesday

Microsoft Patch Tuesday

Microsoft released its monthly security update on Tuesday the 9th of November 2021, remediating 55 vulnerabilities across its products. Six of the vulnerabilities are considered to be critical, but in particular, Microsoft have reported that they have seen active exploitation of two vulnerabilities addressed within this rollup. The remaining vulnerabilities have been rated as important.

CVE-2021-42321 relates to a remote code execution (RCE) vulnerability in Exchange Server. In order for an attacker to exploit the vulnerability, they need to need to be able to authenticate with the service, so these are not as severe as the very commonly exploited ‘ProxyShell’ and ‘ProxyLogon’ vulnerabilities. See the reference provided for identifying whether the vulnerability has been exploited, which can be performed after installing the update.

The other vulnerability that has been observed to be exploited in the wild is CVE-2021-42292, which correlates to a security bypass in Microsoft Excel that allows remote code execution on both Windows and MacOS operating systems. A patch does not appear to be available for MacOS at this time.

The update also includes four hotfixes for Active Directory, one of which (KB5008380) has been highlighted to potentially cause issues in June 2022 if inconsistent patching is in effect across Domain Controllers.

See list for breakdown of all vulnerabilities identified in this security update: Microsoft November 2021 Patch Tuesday (

Section Ransomware Update

Ransomware Update

In September, vxunderground reported that the source code of the Babuk ransomware was leaked by one of the developers. As the Babuk source code included decryption keys, Avast released a decryptor for this ransomware in October. Avast has also released decryptors for AtomSilo and LockBit.

In October, Conti group, known for their “double extortion” ransomware, appeared to have deviated from their current business model in that they were attempting to broker access to victims. Digital Shadows suggest that this may be due the issues associated with hosting exfiltrated data either on dark web or file-sharing sites.

Section Apple Security Updates

Apple Security Updates

Apple released security updates across their products between the 25th and 27th of October 2021. Namely iOS (22 vulnerabilities), iOS 15.1, macOS Big Sur (24 vulnerabilities), 11.6.1 and macOS Monterey (40 vulnerabilities), 12.0.1. Four vulnerabilities were also addressed within the latest Safari security update.

iOS 14.8.1 is also available to users that do not wish to upgrade to iOS 15. The 14.8.1 update fixes 12 vulnerabilities.

The security updates for both Big Sur and Monterey address a vulnerability identified in macOS System Integrity Protection (SIP), dubbed ‘Shrootless’. The mechanism intends to protect the system by prohibiting changes to files and folders, even if attempted by the root user. The flaw could allow an attacker to bypass the mitigation allowing them to install rootkits.

Section Palo Alto Global Protect VPN Security Update

Palo Alto Global Protect VPN Security Update

Palo Alto networks has issued a security advisory regarding a critical vulnerability identified in older versions of its products.

Organisations that have PAN-OS firewalls with versions between 8.1 < 8.1.17 are vulnerable to a remote code execution vulnerability which would allow complete control over the device, could be exploited by an unauthenticated attacker, provident the GlobalProtect portal and gateways are enabled.

At this point in time, there is no publicly available exploit code, nor has there been any evidence to suggest this has been exploited in the wild. Given the prevalence of exploitation in network device vulnerabilities in 2019, this could change.

Section Other Announcements

Other Announcements

Also this month, Microsoft released Sysmon for Linux, an enhanced monitoring and logging tool for collecting system activity useful for SIEM ingestion. Microsoft also announced ‘Microsoft Defender for Business’ for public preview, which offers some of the same enterprise grade features found in its EDR product, but at a price point that may be more accessible for SMBs.

CiSP – The Cyber Security Information Sharing Partnership

The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK […]

Read more CiSP – The Cyber Security Information Sharing Partnership in modal dialog

Scottish Information Sharing Network (SciNET Group)

SciNet is a community for Scottish Buisnesses to engage on CiSP. The Cyber Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and […]

Read more Scottish Information Sharing Network (SciNET Group) in modal dialog

Early Warning Service

The NCSC provides a free service to organisations to inform them of threats against their network. This service will notify you on all cyber attacks detected by the feed suppliers against your organisation and is designed to compliment your existing […]

Read more Early Warning Service in modal dialog
Scottish Business Resilience Centre
Back to top of the page